Headline
GHSA-j5fj-rfh6-qj85: Planet's secret file is created with excessive permissions
Impact
The secret file stores the user’s Planet API authentication information. It should only be accessible by the user, but its permissions allowed the user’s group and non-group to read the file as well.
Validation
Check the permissions on the secret file with ls -l ~/.planet.json and ensure that they read as -rw-------
Patches
Workarounds
Set the secret file permissions to only user read/write by hand:
chmod 600 ~/.planet.json
Package
pip planet (pip)
Affected versions
< 2.0.1
Patched versions
2.0.1
Description
Impact
The secret file stores the user’s Planet API authentication information. It should only be accessible by the user, but its permissions allowed the user’s group and non-group to read the file as well.
Validation
Check the permissions on the secret file with ls -l ~/.planet.json and ensure that they read as -rw-------
Patches
d71415a8
Workarounds
Set the secret file permissions to only user read/write by hand:
chmod 600 ~/.planet.json
References
- GHSA-j5fj-rfh6-qj85
- https://nvd.nist.gov/vuln/detail/CVE-2023-32303
- https://github.com/planetlabs/planet-client-python/releases/tag/2.0.1
jreiberkyle published to planetlabs/planet-client-python
May 12, 2023
Published to the GitHub Advisory Database
May 12, 2023
Reviewed
May 12, 2023
Related news
Planet is software that provides satellite data. The secret file stores the user's Planet API authentication information. It should only be accessible by the user, but before version 2.0.1, its permissions allowed the user's group and non-group to read the file as well. This issue was patched in version 2.0.1. As a workaround, set the secret file permissions to only user read/write by hand.