Vulnerability Description
Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.)
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Pagure | 5.2 |
Related Weaknesses (CWE)
References
- https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0aIssue TrackingPatchVendor Advisory
- https://pagure.io/pagure/issue/4230Issue TrackingPatchVendor Advisory
- https://pagure.io/pagure/issue/4252Broken Link
- https://pagure.io/pagure/issue/4253Broken Link
- https://pagure.io/pagure/pull-request/4254Issue TrackingPatchVendor Advisory
- https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0aIssue TrackingPatchVendor Advisory
- https://pagure.io/pagure/issue/4230Issue TrackingPatchVendor Advisory
- https://pagure.io/pagure/issue/4252Broken Link
- https://pagure.io/pagure/issue/4253Broken Link
- https://pagure.io/pagure/pull-request/4254Issue TrackingPatchVendor Advisory
FAQ
What is CVE-2019-7628?
CVE-2019-7628 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on beh...
How severe is CVE-2019-7628?
CVE-2019-7628 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-7628?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Pagure.