CVE-2023-32303

EPSS 0.26%
Veröffentlicht 12.05.2023 21:15:09
Zuletzt bearbeitet 21.11.2024 08:03:04
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Planet's secret file is created with excessive permissions

Planet is software that provides satellite data. The secret file stores the user's Planet API authentication information. It should only be accessible by the user, but before version 2.0.1, its permissions allowed the user's group and non-group to read the file as well. This issue was patched in version 2.0.1. As a workaround, set the secret file permissions to only user read/write by hand.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Planet ≫ Planet Version < 2.0.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.26%	0.165

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	5.2	2	2.7	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

https://github.com/planetlabs/planet-client-python/commit/d71415a83119c5e89d7b80d5f940d162376ee3b7

Patch

https://github.com/planetlabs/planet-client-python/releases/tag/2.0.1

Release Notes

https://github.com/planetlabs/planet-client-python/security/advisories/GHSA-j5fj-rfh6-qj85

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-32303

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-32303

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-32303

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-32303