CVE-2023-32303: Planet's secret file is created with excessive permissions
(updated )
The secret file stores the user’s Planet API authentication information. It should only be accessible by the user, but its permissions allowed the user’s group and non-group to read the file as well.
References
- github.com/advisories/GHSA-j5fj-rfh6-qj85
- github.com/planetlabs/planet-client-python
- github.com/planetlabs/planet-client-python/commit/d71415a83119c5e89d7b80d5f940d162376ee3b7
- github.com/planetlabs/planet-client-python/releases/tag/2.0.1
- github.com/planetlabs/planet-client-python/security/advisories/GHSA-j5fj-rfh6-qj85
- github.com/pypa/advisory-database/tree/main/vulns/planet/PYSEC-2023-71.yaml
- nvd.nist.gov/vuln/detail/CVE-2023-32303
Code Behaviors & Features
Detect and mitigate CVE-2023-32303 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →