mirror of
https://github.com/biscuit-auth/biscuit.git
synced 2024-09-11 06:15:30 +03:00
46 lines
1.1 KiB
Markdown
46 lines
1.1 KiB
Markdown
|
# Security
|
||
|
|
||
|
## Vulnerabilities
|
||
|
|
||
|
### 1 - 2021/05/06 - rules can generate fact with authority or ambient tags using variables
|
||
|
|
||
|
Affected versions:
|
||
|
- Rust <1.1.0
|
||
|
- Java: <1.1.0
|
||
|
- Go: <1.0.0
|
||
|
|
||
|
#### Description
|
||
|
|
||
|
Rules of the format `operation($ambient, #read) <- operation($ambient, $any)`
|
||
|
provided by blocks other than the authority block could be used to generate
|
||
|
facts with the `#authority` or `#ambient` tags.
|
||
|
This can result in elevation of privilege.
|
||
|
|
||
|
#### Recommandations
|
||
|
|
||
|
Upgrade immediately to non affected versions
|
||
|
|
||
|
#### Credits
|
||
|
|
||
|
This issue was reported by @svvac. Thanks a lot!
|
||
|
|
||
|
### 0 - 2021/05/06 - unbound variables in rule head
|
||
|
|
||
|
Affected versions:
|
||
|
- Rust <1.0.1
|
||
|
- Java: results in Null Pointer Exception in versions <1.1.0
|
||
|
- Go: not affected
|
||
|
|
||
|
#### Description
|
||
|
|
||
|
Rules of the format `operation($unbound, #read) <- operation($any1, $any2)` could generate invalid facts containing variables, that would then confuse matching of other checks and make them succeed.
|
||
|
This can result in elevation of privilege.
|
||
|
|
||
|
#### Recommandations
|
||
|
|
||
|
Upgrade immediately to non affected versions
|
||
|
|
||
|
#### Credits
|
||
|
|
||
|
This issue was reported by @svvac. Thanks a lot!
|