Exposure of Sensitive Information to an Unauthorized Actor in opendatacube/odc-tools

Valid

Reported on

Sep 16th 2021


Description

Information Disclosure AWS PrincipleID, sourceIPAddress, configurationId and more.

Proof of Concept

https://raw.githubusercontent.com/opendatacube/odc-tools/develop/apps/dc_tools/tests/data/sentinel-2-nrt_2020_08_21.json

Impact

Leaks Sensitive Data

Occurences

Information Disclosure AWS PrincipleID, sourceIPAddress, configurationId and more.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
Ziding Zhang
2 months ago

Admin


Hey Anwar, I've emailed the maintainers for you.

We have contacted a member of the opendatacube/odc-tools team and are waiting to hear back 2 months ago
Kirill Kouzoubov validated this vulnerability 2 months ago
Anwar has been awarded the disclosure bounty
The fix bounty is now up for grabs
Kirill
2 months ago

So this is test fixture that was not "fudged". I'm not sure what the implication to account holders are, but they have been notified. We can "fix" it by fudging the fixture I suppose, but information is already there in the git history and in the forks.

Anwar
2 months ago

Researcher


Thank you :)

Kirill Kouzoubov confirmed that a fix has been merged on 133929 2 months ago
The fix bounty has been dropped