Exposure of confidential secret or token Stripe live secret key

Description

The response body contains content that matches the pattern of a Stripe live secret key was identified. Live secret keys authenticate requests on your server when in live mode. By default, you can use this key to perform any API request without restriction. A malicious actor who gained access to this key could gain read/write access to all data in Stripe for this account. Exposing this value could allow attackers to gain access to all resources granted by this token.

Remediation

For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on Credential exposure to the internet.

To rotate your Stripe live secret key:

Sign in to your Stripe account and access https://dashboard.stripe.com/apikeys
Ensure "Test mode" is disabled
In the "Standard keys" section, find the key that was identified and select the ellipsis in the right-hand side
Select "Roll key..." - In the "Roll API key" dialog, select an expiration date, for example "now"
Select "Roll API Key"

For more information, please see Stripe's documentation on rotating API keys.

Details

ID	Aggregated	CWE	Type	Risk
798.111	false	798	Passive	High

Description

Remediation

Details

Links