CVE-2023-32303
Planet's secret file is created with excessive permissions
5.5
MEDIUM
CVSS 3.1
EPSS 0.06%
Description
Planet is software that provides satellite data. The secret file stores the user's Planet API authentication information. It should only be accessible by the user, but before version 2.0.1, its permissions allowed the user's group and non-group to read the file as well. This issue was patched in version 2.0.1. As a workaround, set the secret file permissions to only user read/write by hand.
How to fix CVE-2023-32303
To remediate CVE-2023-32303, upgrade the affected package to a fixed version below.
- —upgrade to 2.0.1 or later
- —upgrade to d71415a83119c5e89d7b80d5f940d162376ee3b7 or later
Is CVE-2023-32303 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.0.1
- from 0, < d71415a83119c5e89d7b80d5f940d162376ee3b7 | from 0, < 2.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |