AVID-2026-R1241

Description

Planet’s secret file is created with excessive permissions (CVE-2023-32303)

Details

Planet is software that provides satellite data. The secret file stores the user’s Planet API authentication information. It should only be accessible by the user, but before version 2.0.1, its permissions allowed the user’s group and non-group to read the file as well. This issue was patched in version 2.0.1. As a workaround, set the secret file permissions to only user read/write by hand.

Reason for inclusion in AVID: CVE-2023-32303 describes insecure file permissions for a secret file in Planet Client Python, a library that can be used to fetch satellite imagery. This is a vulnerability in a software component that can participate in AI data ingestion pipelines (data/feature pipelines) and training workflows. The issue exposes API credentials, enabling potential credential compromise if the component is misconfigured or exploited, which is a security risk in AI software stacks. The advisory clearly states the affected versions and the patch in 2.0.1, with references to CVE and security advisories. These signals indicate a software supply-chain vulnerability relevant to AI systems, rather than hardware/firmware-only concerns.

References

• NVD entry
• https://github.com/planetlabs/planet-client-python/security/advisories/GHSA-j5fj-rfh6-qj85
• https://github.com/planetlabs/planet-client-python/commit/d71415a83119c5e89d7b80d5f940d162376ee3b7
• https://github.com/planetlabs/planet-client-python/releases/tag/2.0.1

Affected or Relevant Artifacts

• Developer: planetlabs
• Deployer: planetlabs
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2023-05-12
• Version: 0.3.3
• AVID Entry