CVE-2023-32303

Planet is software that provides satellite data. The secret file stores the user's Planet API authentication information. It should only be accessible by the user, but before version 2.0.1, its permissions allowed the user's group and non-group to read the file as well. This issue was patched in version 2.0.1. As a workaround, set the secret file permissions to only user read/write by hand.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/planetlabs/planet-client-python/commit/d71415a83119c5e89d7b80d5f940d162376ee3b7	Patch
https://github.com/planetlabs/planet-client-python/releases/tag/2.0.1	Release Notes
https://github.com/planetlabs/planet-client-python/security/advisories/GHSA-j5fj-rfh6-qj85	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:planet:planet:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-05-12 21:15

Updated : 2023-05-26 17:36

NVD link : CVE-2023-32303

Mitre link : CVE-2023-32303

CVE.ORG link : CVE-2023-32303

JSON object : View

Products Affected

planet

planet

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2023-32303", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.0}]}, "published": "2023-05-12T21:15:09.560", "references": [{"url": "https://github.com/planetlabs/planet-client-python/commit/d71415a83119c5e89d7b80d5f940d162376ee3b7", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/planetlabs/planet-client-python/releases/tag/2.0.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/planetlabs/planet-client-python/security/advisories/GHSA-j5fj-rfh6-qj85", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "Planet is software that provides satellite data. The secret file stores the user's Planet API authentication information. It should only be accessible by the user, but before version 2.0.1, its permissions allowed the user's group and non-group to read the file as well. This issue was patched in version 2.0.1. As a workaround, set the secret file permissions to only user read/write by hand.\n"}], "lastModified": "2023-05-26T17:36:37.287", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:planet:planet:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EED867FB-E5D4-44AA-B656-E9A6EE43C7AC", "versionEndExcluding": "2.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}