In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment.
Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated
services or resources.
The trust issue can be more or less severe depending on the people’s role and entitlement.
If an attacker gains access to an SSLMate secret, they might be able to gain access to the SSL/TLS certificate of organisations.
What is the potential impact?
SSLMate provides APIs used by organizations to issue and monitor SSL/TLS certificates. These certificates guaranty the authenticity of the
organization’s servers, and the confidentiality of the data exchanged with them. Depending on the permission granted to the API key, an attacker could
potentially create, revoke, or modify SSL/TLS certificates of the organization.
Creating certificates would allow attackers to impersonate the organization’s servers. This leads to Man-In-The-Middle attacks that would affect
both the confidentiality and integrity of the communications from clients to that server.
