CVE-2023-32303 MEDIUM

CVE-2023-32303: Planet's secret file is created with excessive permissions

Vendor Planetlabs
Product planet-client-python
Weakness CWE-732
Published May 12, 2023
Last update January 23, 2025

CVSS base score

5.2/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Planet is software that provides satellite data. The secret file stores the user's Planet API authentication information. It should only be accessible by the user, but before version 2.0.1, its permissions allowed the user's group and non-group to read the file as well. This issue was patched in version 2.0.1. As a workaround, set the secret file permissions to only user read/write by hand.

Key dates

02Disclosure timeline

May 12, 2023 CVE published
January 23, 2025 Record updated