First published: Fri Feb 08 2019(Updated: )
Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.)
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Redhat Pagure | =5.2 | |
=5.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-7628 is a vulnerability found in Pagure 5.2 that leaks API keys by e-mailing them to users, which can be intercepted by attackers.
The severity of CVE-2019-7628 is medium with a CVSS score of 5.9.
CVE-2019-7628 works by leaking API keys through emails sent to users, which can be intercepted by attackers performing man-in-the-middle attacks.
Pagure version 5.2 is affected by CVE-2019-7628.
Yes, fixes and patches for CVE-2019-7628 are available. It is recommended to update to the latest version of Pagure to address this vulnerability.