Exposure of Sensitive Information to an Unauthorized Actor in tl-its-umich-edu/my-learning-analytics
May 23rd 2021
Django secret key is exposed into the Dockerfile. This is used to sign JSON objects, create hashes and generate CSRF tokens.
🕵️♂️ Proof of Concept
Attacker will be able to forge JSON objects and create CSRF tokens by following this approach. The secure alternative would be to use an environment variable to store the secret.
Thanks! The DJANGO_SECRET_KEY in this Dockerfile context is only used so collectstatic can run. A secret key is required to be provided through the configuration file while the app is running. Whether this is hardcoded or random won't make a difference here and the PoC isn't relevant.
Even though this doesn't seem like it's an high priority issue, we're not 100% sure so researched and resolved this. Thanks for the issue and notification!
Re-validated as the previous validation failed.
@Code Hugger, feel free to
confirm fix once you have patched on your repository. Have a great day all! 🎉
It looks like this vulnerability was validated and awarded twice?
Just a visual bug!