Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qNWZqLXJmaDYtcWo4Nc4AAzUI
Planet's secret file is created with excessive permissions
Impact
The secret file stores the user's Planet API authentication information. It should only be accessible by the user, but its permissions allowed the user's group and non-group to read the file as well.
Validation
Check the permissions on the secret file with ls -l ~/.planet.json and ensure that they read as -rw-------
Patches
Workarounds
Set the secret file permissions to only user read/write by hand:
chmod 600 ~/.planet.json
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qNWZqLXJmaDYtcWo4Nc4AAzUI
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 17 days ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-j5fj-rfh6-qj85, CVE-2023-32303
References:
- https://github.com/planetlabs/planet-client-python/security/advisories/GHSA-j5fj-rfh6-qj85
- https://nvd.nist.gov/vuln/detail/CVE-2023-32303
- https://github.com/planetlabs/planet-client-python/releases/tag/2.0.1
- https://github.com/planetlabs/planet-client-python/commit/d71415a83119c5e89d7b80d5f940d162376ee3b7
- https://github.com/pypa/advisory-database/tree/main/vulns/planet/PYSEC-2023-71.yaml
- https://github.com/advisories/GHSA-j5fj-rfh6-qj85
Affected Packages
pypi:planet
Versions: < 2.0.1Fixed in: 2.0.1