Back to search
CVE-2019-7628
Published: Feb 8, 2019
Modified: Aug 4, 2024
PUBLISHED
Description
Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.)
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://pagure.io/pagure/pull-request/4254
x_refsource_MISC
https://pagure.io/pagure/issue/4230
x_refsource_MISC
https://pagure.io/pagure/issue/4252
x_refsource_MISC
https://pagure.io/pagure/issue/4253
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now