You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Feb 21, 2022. It is now read-only.
The-zoo is vulnerable to a cryptography issue since the Django's SECRET_KEY in settings.py variable will fallback to mucho secretto if no SECRET_KEY environment variable is provided when deploying the webserver.
Steps To Reproduce:
Deploy the-zoo without providing a SECRET_KEY environment variable
Django's SECRET_KEY will default to mucho secretto as per line 79 in settings.py
Running Django with a known SECRET_KEY defeats many of Django’s security protections, and can lead to privilege escalation and remote code execution vulnerabilities.
Remediation:
Preventing the start or generating a random key for every run might be a better practice
The-zoo is vulnerable to a cryptography issue since the Django's SECRET_KEY in settings.py variable will fallback to mucho secretto if no SECRET_KEY environment variable is provided when deploying the webserver.
Steps To Reproduce:
the-zoowithout providing aSECRET_KEYenvironment variableSECRET_KEYwill default tomucho secrettoas per line 79 in settings.pyVulnerable line:
SECRET_KEY = env("SECRET_KEY", default="mucho secretto")Impact:
Running Django with a known
SECRET_KEYdefeats many of Django’s security protections, and can lead to privilege escalation and remote code execution vulnerabilities.Remediation:
Preventing the start or generating a random key for every run might be a better practice