A DigitalOcean spaces bucket has public read Access Control List which can lead to private data exposure
| Severity | Exploitability | Providers | Categories |
|---|---|---|---|
| CRITICAL | HIGH | DigitalOcean | DATA, PERMISSION |
Description
DigitalOcean Spaces provides an API to manage data storage via HTTP requests. Spaces also supports a set of access controls for buckets and objects, among which pre-defined "canned ACLs" such as "public-read". A spaces bucket or object analyzed is set with "public-read" ACLs : this means that its content can be publicly read without authentication. Setting such ACLs should be done only if explicitly required as it can publicly expose internal data.
Impact
| Potential data exposure | Visible in logs | User interaction required | Privileges required |
|---|---|---|---|
| True | False | False | False |
- Data Exposure
Remediation guidelines
Except if the bucket or object needs to be publicly accessed by unauthenticated users, we recommend the following :
- Switch the bucket to the "private" preset ACL.
- Set a custom ACL for the concerned object or bucket. See the related documentation provided.
References
Was this page helpful?
