Описание
Planet's secret file is created with excessive permissions
Impact
The secret file stores the user's Planet API authentication information. It should only be accessible by the user, but its permissions allowed the user's group and non-group to read the file as well.
Validation
Check the permissions on the secret file with ls -l ~/.planet.json and ensure that they read as -rw-------
Patches
Workarounds
Set the secret file permissions to only user read/write by hand:
Ссылки
- https://github.com/planetlabs/planet-client-python/security/advisories/GHSA-j5fj-rfh6-qj85
- https://nvd.nist.gov/vuln/detail/CVE-2023-32303
- https://github.com/planetlabs/planet-client-python/commit/d71415a83119c5e89d7b80d5f940d162376ee3b7
- https://github.com/planetlabs/planet-client-python/releases/tag/2.0.1
- https://github.com/pypa/advisory-database/tree/main/vulns/planet/PYSEC-2023-71.yaml
Пакеты
planet
< 2.0.1
2.0.1
Связанные уязвимости
Planet is software that provides satellite data. The secret file stores the user's Planet API authentication information. It should only be accessible by the user, but before version 2.0.1, its permissions allowed the user's group and non-group to read the file as well. This issue was patched in version 2.0.1. As a workaround, set the secret file permissions to only user read/write by hand.