#4252 CVE-2019-7628: Pagure 5.2 leaks full API keys.
Closed: Fixed 2 months ago by pingou. Opened 2 months ago by bowlofeggs.

It was discovered that Pagure was leaking API keys by e-mailing
them to users. Few e-mail servers validate TLS certificates, so
it is possible for man-in-the-middle attacks to read these e-mails and
gain access to Pagure on the behalf of other users. The
vulnerability was introduced in [0], which was released with Pagure 5.2.

As of the time of this writing, there is not a released Pagure with a fix
for this issue.

[0] https://pagure.io/pagure/c/57975ef30641907947038b608017a9b721eb33fe


Metadata Update from @pingou:
- Issue private status set to: True

2 months ago

Workaround

This issue can be worked around by disabling the cron job. After disabling the cron job, it would be wise to delete any API keys you think may have been e-mailed. You can delete them all to be safe. Users will have to generate new ones if you take this step.

This was fixed in the PR: #4254

Metadata Update from @pingou:
- Issue private status set to: False (was: True)
- Issue set to the milestone: 5.3
- Issue tagged with: bug

2 months ago

Metadata Update from @pingou:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 months ago

Login to comment on this ticket.

Metadata
Related Pull Requests
  • #4254 Merged 2 months ago