Exposure of confidential secret or token PlanetScale API token

Description

The response body contains content that matches the pattern of a PlanetScale API service token was identified. Service tokens are created and assigned permissions depending on the allowed scope. A malicious actor with access to the service token is granted the same permissions that were assigned to this service token. Exposing this value could allow attackers to gain access to all resources granted by this token.

Remediation

For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on Credential exposure to the internet.

To revoke a service token:

• Sign in to your PlanetScale account and access https://app.planetscale.com/.
• From the menu on the left-hand side, select "Settings"
• Under "Settings", select "Service tokens"
• Find the identified security token and select its name
• Take note of its organization access, permissions and scope
• Select "Delete service token" in the upper-right corner
• When prompted, select "Delete" in the "Delete service token" dialog

For more information, please see PlanetScale's documentation on service tokens.

Details

ID	Aggregated	CWE	Type	Risk
798.91	false	798	Passive	High

Links

• CWE