Cyber Resilience

CVE-2024-41948

Low

Published: 01 August 2024

Published
01 August 2024
Modified
09 August 2024
KEV Added
Patch
CVSS Score v3.1 3.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N
EPSS Score 0.0016 36.6th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-41948 is a low-severity Improper Restriction of Security Token Assignment (CWE-1259) vulnerability in Biscuitsec Biscuit-Java. Its CVSS base score is 3.0 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

biscuit-java is the java implementation of Biscuit, an authentication and authorization token for microservices architectures. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a ThirdPartyBlock request can be sent, providing only the necessary…

more

info to generate a third-party block and to sign it, which includes the public key of the previous block (used in the signature) and the public keys part of the token symbol table (for public key interning in datalog expressions). A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. This vulnerability is fixed in 4.0.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

CVE-2024-41948 enables remote exploitation (AV:N) of the third-party block generation service in biscuit-java via forged requests (AC:H/PR:H), allowing attackers to trick authorities into issuing authorization blocks trusting attacker keypairs, facilitating privilege escalation.

Affected Assets

biscuitsec
biscuit-java
3.0.0 — 4.0.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References