Exposure of Sensitive Information to an Unauthorized Actor in opendatacube/odc-tools

Valid

Reported on

Sep 16th 2021

Description

Information Disclosure AWS PrincipleID, sourceIPAddress, configurationId and more.

Proof of Concept

https://raw.githubusercontent.com/opendatacube/odc-tools/develop/apps/dc_tools/tests/data/sentinel-2-nrt_2020_08_21.json

Impact

Leaks Sensitive Data

Occurrences

Information Disclosure AWS PrincipleID, sourceIPAddress, configurationId and more.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
Z-Old
2 years ago

Admin

Hey Anwar, I've emailed the maintainers for you.

We have contacted a member of the opendatacube/odc-tools team and are waiting to hear back 2 years ago
Kirill Kouzoubov validated this vulnerability 2 years ago
Anwar has been awarded the disclosure bounty
The fix bounty is now up for grabs
Kirill
2 years ago

Maintainer

So this is test fixture that was not "fudged". I'm not sure what the implication to account holders are, but they have been notified. We can "fix" it by fudging the fixture I suppose, but information is already there in the git history and in the forks.

Anwar
2 years ago

Researcher

Thank you :)

Kirill Kouzoubov marked this as fixed with commit 133929 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation