mirror of
https://github.com/biscuit-auth/biscuit.git
synced 2024-10-26 06:40:35 +03:00
1.1 KiB
1.1 KiB
Security
Vulnerabilities
1 - 2021/05/06 - rules can generate fact with authority or ambient tags using variables
Affected versions:
- Rust <1.1.0
- Java: <1.1.0
- Go: <1.0.0
Description
Rules of the format operation($ambient, #read) <- operation($ambient, $any)
provided by blocks other than the authority block could be used to generate
facts with the #authority
or #ambient
tags.
This can result in elevation of privilege.
Recommandations
Upgrade immediately to non affected versions
Credits
This issue was reported by @svvac. Thanks a lot!
0 - 2021/05/06 - unbound variables in rule head
Affected versions:
- Rust <1.0.1
- Java: results in Null Pointer Exception in versions <1.1.0
- Go: not affected
Description
Rules of the format operation($unbound, #read) <- operation($any1, $any2)
could generate invalid facts containing variables, that would then confuse matching of other checks and make them succeed.
This can result in elevation of privilege.
Recommandations
Upgrade immediately to non affected versions
Credits
This issue was reported by @svvac. Thanks a lot!