A DigitalOcean spaces bucket has public read Access Control List which can lead to private data exposure
Severity | Exploitability | Providers | Categories |
---|---|---|---|
CRITICAL | HIGH | DigitalOcean | DATA, PERMISSION |
Description
DigitalOcean Spaces provides an API to manage data storage via HTTP requests. Spaces also supports a set of access controls for buckets and objects, among which pre-defined "canned ACLs" such as "public-read". A spaces bucket or object analyzed is set with "public-read" ACLs : this means that its content can be publicly read without authentication. Setting such ACLs should be done only if explicitly required as it can publicly expose internal data.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | False | False | False |
- Data Exposure
Remediation guidelines
Except if the bucket or object needs to be publicly accessed by unauthenticated users, we recommend the following :
- Switch the bucket to the "private" preset ACL.
- Set a custom ACL for the concerned object or bucket. See the related documentation provided.