Advisory ID: DOPPLER-PSA-2024-004 Publication Date: 2024-09-19 Revision Date: 2024-09-19 Status: Confirmed, Fixed Document Revision: 1.0
Doppler has found and resolved an issue where secret values that were revealed via the Dashboard’s secret version history tab were not tracked.
When Doppler responds to requests for secret values, it tracks information about that request in a database table. This data is then provided to users so that they can retrieve the access history associated with a secret or a user.
Doppler had a gap in this read tracking logic: reads that were done within the version history tab of a particular secret were not logged.
To exploit this gap, a user would need to have known about the issue and intentionally never revealed the value by other means. The user would have also needed permissions to reveal the value. Doppler has no reason to believe this has been maliciously exploited.
A code fix remediating this vulnerability has already been deployed to the Doppler infrastructure. No action is necessary from customers.
Remotely Exploitable: Yes Authentication Required: Yes Severity: Low CVSSv3.1 Overall Score: 2.7 CVSSv3.1 Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
September 19, 2024 19:00 UTC
Doppler Engineering is made aware of vulnerability and begins investigation.
September 19, 2024 19:55 UTC
Doppler completes deployment of patched code to production and verifies the issue no longer exists.
Doppler Access Logs - https://docs.doppler.com/docs/access-logs#access
If you have any questions or concerns regarding this PSA, please contact Doppler Support.