[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2019-7628: Pagure version 5.2 leaks API keys by e-mail
From: Randy Barlow <randy () electronsweatshop ! com>
Date: 2019-02-08 14:08:22
Message-ID: c8a1fdf00760245ccdabc0ac0f4d0b981f478b34.camel () electronsweatshop ! com
[Download RAW message or body]
It was discovered that Pagure[4] 5.2 e-mails full API tokens in e-mails=20
that are intended to remind users that the tokens are expiring soon[3].
The vulnerability was introduced in 5.2[0]. There was a partial fix
applied in [1], but that fix still leaked partial keys.
At the time of this writing, a fix is proposed at [2].
There is not yet a released version of Pagure with a fix, but Pagure
administrators can work around this issue by disabling the cron job. It
may be wise to delete all API tokens that may have been e-mailed after
disabling the cron job as a precautionary measure.
[0] https://pagure.io/pagure/c/57975ef30641907947038b608017a9b721eb33fe
[1] https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a
[2] https://pagure.io/pagure/pull-request/4254
[3] https://nvd.nist.gov/vuln/detail/CVE-2019-7628
[4] https://pagure.io/pagure
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic