Exposure of Sensitive Information to an Unauthorized Actor in tl-its-umich-edu/my-learning-analytics
Reported on
May 23rd 2021
✍️ Description
Django secret key is exposed into the Dockerfile. This is used to sign JSON objects, create hashes and generate CSRF tokens.
🕵️♂️ Proof of Concept
https://stackoverflow.com/questions/15170637/effects-of-changing-djangos-secret-key/15383766?noredirect=1#comment21743494_15383766
💥 Impact
Attacker will be able to forge JSON objects and create CSRF tokens by following this approach. The secure alternative would be to use an environment variable to store the secret.
Thanks! The DJANGO_SECRET_KEY in this Dockerfile context is only used so collectstatic can run. A secret key is required to be provided through the configuration file while the app is running. Whether this is hardcoded or random won't make a difference here and the PoC isn't relevant.
Even though this doesn't seem like it's an high priority issue, we're not 100% sure so researched and resolved this. Thanks for the issue and notification!
@Code Hugger, feel free to confirm fix once you have patched on your repository. Have a great day all! 🎉
It looks like this vulnerability was validated and awarded twice?