#4252 CVE-2019-7628: Pagure 5.2 leaks full API keys.
Closed: Fixed a day ago by pingou. Opened 11 days ago by bowlofeggs.

It was discovered that Pagure was leaking API keys by e-mailing
them to users. Few e-mail servers validate TLS certificates, so
it is possible for man-in-the-middle attacks to read these e-mails and
gain access to Pagure on the behalf of other users. The
vulnerability was introduced in [0], which was released with Pagure 5.2.

As of the time of this writing, there is not a released Pagure with a fix
for this issue.

[0] https://pagure.io/pagure/c/57975ef30641907947038b608017a9b721eb33fe

Metadata Update from @pingou:
- Issue private status set to: True

11 days ago


This issue can be worked around by disabling the cron job. After disabling the cron job, it would be wise to delete any API keys you think may have been e-mailed. You can delete them all to be safe. Users will have to generate new ones if you take this step.

This was fixed in the PR: #4254

Metadata Update from @pingou:
- Issue private status set to: False (was: True)
- Issue set to the milestone: 5.3
- Issue tagged with: bug

a day ago

Metadata Update from @pingou:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a day ago

Login to comment on this ticket.

Related Pull Requests
  • #4254 Merged 7 days ago