docker/README.md can lead to world-readable API key #781
Assignees
Comments
|
Add instructions to set the .curl-cve-config file permissions to 600 before writing the API key into the file. |
brettp
added a commit
that referenced
this issue
Jul 27, 2022
slubar
added a commit
that referenced
this issue
Jul 28, 2022
#781 Update Docker readme to include instructions to securely create curl config
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This might be considered a #621 regression because the current version removes code that had been added in 21320be
https://github.com/CVEProject/cve-services/blob/7f683512e5bcd07f8ce48d41d06ea533c90dd265/docker/README.md
says
but does not discuss whether file permissions should be set in any specific way. Many popular systems have a default configuration in which files in a user's home directory can be read by some or all other users. There is a risk that an API key could be stolen if a threat actor has unprivileged local access to a host that is used for command-line CVE Services API access.
By contrast, https://github.com/CVEProject/cve-services/blob/6e4f176ff305ceb0e7747d2e5991a580267de73f/docker/README.md had set the .curl-cve-config file permissions to 600 before writing the API key into the file.
The text was updated successfully, but these errors were encountered: