Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qNWZqLXJmaDYtcWo4Nc4AAzUI

Planet's secret file is created with excessive permissions

Impact

The secret file stores the user's Planet API authentication information. It should only be accessible by the user, but its permissions allowed the user's group and non-group to read the file as well.

Validation

Check the permissions on the secret file with ls -l ~/.planet.json and ensure that they read as -rw-------

Patches

d71415a8

Workarounds

Set the secret file permissions to only user read/write by hand:

chmod 600 ~/.planet.json
Permalink: https://github.com/advisories/GHSA-j5fj-rfh6-qj85
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qNWZqLXJmaDYtcWo4Nc4AAzUI
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: 8 months ago


CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-j5fj-rfh6-qj85, CVE-2023-32303
References: Repository: https://github.com/planetlabs/planet-client-python
Blast Radius: 8.8

Affected Packages

pypi:planet
Dependent packages: 2
Dependent repositories: 40
Downloads: 5,891 last month
Affected Version Ranges: < 2.0.1
Fixed in: 2.0.1
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.5.0, 1.5.1, 1.5.2, 2.0.0
All unaffected versions: 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.7.1, 2.10.0