{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T19:09:31.111","vulnerabilities":[{"cve":{"id":"CVE-2022-31053","sourceIdentifier":"security-advisories@github.com","published":"2022-06-13T20:15:07.820","lastModified":"2024-11-21T07:03:47.747","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have published versions following the v2 specification. There are no known workarounds for this issue."},{"lang":"es","value":"Biscuit es un token de autenticación y autorización para arquitecturas de microservicios. La versión 1 de la especificación de Biscuit contiene un algoritmo vulnerable que permite a actores maliciosos falsificar firmas válidas. Un ataque de este tipo permitiría a un atacante crear un token con cualquier nivel de acceso. La versión 2 de la especificación impone un algoritmo diferente a las firmas gamma y, como tal, no está afectada por esta vulnerabilidad. Las implementaciones de Biscuit en Rust, Haskell, Go, Java y Javascript han publicado versiones que siguen la especificación v2. No se presentan mitigaciones conocidas para este problema"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-347"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:biscuitsec:biscuit-auth:*:*:*:*:*:rust:*:*","versionStartIncluding":"1.0.0","versionEndIncluding":"1.1.0","matchCriteriaId":"0E563805-9EDE-4DF0-82CB-869AD67AC574"},{"vulnerable":true,"criteria":"cpe:2.3:a:biscuitsec:biscuit-go:*:*:*:*:*:*:*:*","versionEndExcluding":"2.0.0","matchCriteriaId":"3D442EFC-06BF-429F-848C-7BF4B7438BEB"},{"vulnerable":true,"criteria":"cpe:2.3:a:biscuitsec:biscuit-haskell:0.1.1.0:*:*:*:*:*:*:*","matchCriteriaId":"3E24AA7F-9A5F-4032-BE61-BD0B4AB77465"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:clever-cloud:biscuit-java:*:*:*:*:*:*:*:*","versionEndExcluding":"2.0.0","matchCriteriaId":"020BC888-E2CE-4B88-A043-F7EE3DC54A62"}]}]}],"references":[{"url":"https://eprint.iacr.org/2020/1484","source":"security-advisories@github.com","tags":["Exploit","Technical Description","Third Party Advisory"]},{"url":"https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]},{"url":"https://eprint.iacr.org/2020/1484","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Technical Description","Third Party Advisory"]},{"url":"https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"]}]}}]}