[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2019-7628: Pagure version 5.2 leaks API keys by e-mail
From:       Randy Barlow <randy () electronsweatshop ! com>
Date:       2019-02-08 14:08:22
Message-ID: c8a1fdf00760245ccdabc0ac0f4d0b981f478b34.camel () electronsweatshop ! com
[Download RAW message or body]


It was discovered that Pagure[4] 5.2 e-mails full API tokens in e-mails=20
that are intended to remind users that the tokens are expiring soon[3].
The vulnerability was introduced in 5.2[0]. There was a partial fix
applied in [1], but that fix still leaked partial keys.

At the time of this writing, a fix is proposed at [2].

There is not yet a released version of Pagure with a fix, but Pagure
administrators can work around this issue by disabling the cron job. It
may be wise to delete all API tokens that may have been e-mailed after
disabling the cron job as a precautionary measure.


[0] https://pagure.io/pagure/c/57975ef30641907947038b608017a9b721eb33fe
[1] https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a
[2] https://pagure.io/pagure/pull-request/4254
[3] https://nvd.nist.gov/vuln/detail/CVE-2019-7628
[4] https://pagure.io/pagure

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]