mirror of
https://github.com/biscuit-auth/biscuit.git
synced 2024-08-15 23:20:37 +03:00
46 lines
1.1 KiB
Markdown
46 lines
1.1 KiB
Markdown
# Security
|
|
|
|
## Vulnerabilities
|
|
|
|
### 1 - 2021/05/06 - rules can generate fact with authority or ambient tags using variables
|
|
|
|
Affected versions:
|
|
- Rust <1.1.0
|
|
- Java: <1.1.0
|
|
- Go: <1.0.0
|
|
|
|
#### Description
|
|
|
|
Rules of the format `operation($ambient, #read) <- operation($ambient, $any)`
|
|
provided by blocks other than the authority block could be used to generate
|
|
facts with the `#authority` or `#ambient` tags.
|
|
This can result in elevation of privilege.
|
|
|
|
#### Recommandations
|
|
|
|
Upgrade immediately to non affected versions
|
|
|
|
#### Credits
|
|
|
|
This issue was reported by @svvac. Thanks a lot!
|
|
|
|
### 0 - 2021/05/06 - unbound variables in rule head
|
|
|
|
Affected versions:
|
|
- Rust <1.0.1
|
|
- Java: results in Null Pointer Exception in versions <1.1.0
|
|
- Go: not affected
|
|
|
|
#### Description
|
|
|
|
Rules of the format `operation($unbound, #read) <- operation($any1, $any2)` could generate invalid facts containing variables, that would then confuse matching of other checks and make them succeed.
|
|
This can result in elevation of privilege.
|
|
|
|
#### Recommandations
|
|
|
|
Upgrade immediately to non affected versions
|
|
|
|
#### Credits
|
|
|
|
This issue was reported by @svvac. Thanks a lot!
|