CVE-2019-7628: Infoleak
First published: Fri Feb 08 2019(Updated: )
Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.)
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Pagure | =5.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-7628?
CVE-2019-7628 is a vulnerability found in Pagure 5.2 that leaks API keys by e-mailing them to users, which can be intercepted by attackers.
What is the severity of CVE-2019-7628?
The severity of CVE-2019-7628 is medium with a CVSS score of 5.9.
How does CVE-2019-7628 work?
CVE-2019-7628 works by leaking API keys through emails sent to users, which can be intercepted by attackers performing man-in-the-middle attacks.
Which version of Pagure is affected by CVE-2019-7628?
Pagure version 5.2 is affected by CVE-2019-7628.
Are there any fixes or patches available for CVE-2019-7628?
Yes, fixes and patches for CVE-2019-7628 are available. It is recommended to update to the latest version of Pagure to address this vulnerability.
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/references
- agent/weakness
- agent/remedy
- agent/last-modified-date
- agent/type
- agent/description
- agent/first-publish-date
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/redhat
- canonical/redhat pagure
- version/redhat pagure/5.2