Vulnerability Details : CVE-2023-32303
Planet is software that provides satellite data. The secret file stores the user's Planet API authentication information. It should only be accessible by the user, but before version 2.0.1, its permissions allowed the user's group and non-group to read the file as well. This issue was patched in version 2.0.1. As a workaround, set the secret file permissions to only user read/write by hand.
Products affected by CVE-2023-32303
- cpe:2.3:a:planet:planet:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-32303
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 19 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-32303
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST | |
5.2
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
2.0
|
2.7
|
GitHub, Inc. |
CWE ids for CVE-2023-32303
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-32303
-
https://github.com/planetlabs/planet-client-python/security/advisories/GHSA-j5fj-rfh6-qj85
secret file is created with excessive permissions · Advisory · planetlabs/planet-client-python · GitHubPatch;Vendor Advisory
-
https://github.com/planetlabs/planet-client-python/commit/d71415a83119c5e89d7b80d5f940d162376ee3b7
enforce restricting secret file permissions to user read/write · planetlabs/planet-client-python@d71415a · GitHubPatch
-
https://github.com/planetlabs/planet-client-python/releases/tag/2.0.1
Release 2.0.1 · planetlabs/planet-client-python · GitHubRelease Notes
Jump to