#4252 CVE-2019-7628: Pagure 5.2 leaks full API keys.
Closed: Fixed 2 years ago by pingou. Opened 2 years ago by bowlofeggs.

It was discovered that Pagure was leaking API keys by e-mailing
them to users. Few e-mail servers validate TLS certificates, so
it is possible for man-in-the-middle attacks to read these e-mails and
gain access to Pagure on the behalf of other users. The
vulnerability was introduced in [0], which was released with Pagure 5.2.

As of the time of this writing, there is not a released Pagure with a fix
for this issue.

[0] https://pagure.io/pagure/c/57975ef30641907947038b608017a9b721eb33fe

Metadata Update from @pingou:
- Issue private status set to: True

2 years ago


This issue can be worked around by disabling the cron job. After disabling the cron job, it would be wise to delete any API keys you think may have been e-mailed. You can delete them all to be safe. Users will have to generate new ones if you take this step.

This was fixed in the PR: #4254

Metadata Update from @pingou:
- Issue private status set to: False (was: True)
- Issue set to the milestone: 5.3
- Issue tagged with: bug

2 years ago

Metadata Update from @pingou:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Related Pull Requests
  • #4254 Merged 2 years ago