oss-sec mailing list archives
CVE-2019-7628: Pagure version 5.2 leaks API keys by e-mail
From: Randy Barlow <randy () electronsweatshop com>
Date: Fri, 08 Feb 2019 09:08:22 -0500
It was discovered that Pagure[4] 5.2 e-mails full API tokens in e-mails that are intended to remind users that the tokens are expiring soon[3]. The vulnerability was introduced in 5.2[0]. There was a partial fix applied in [1], but that fix still leaked partial keys. At the time of this writing, a fix is proposed at [2]. There is not yet a released version of Pagure with a fix, but Pagure administrators can work around this issue by disabling the cron job. It may be wise to delete all API tokens that may have been e-mailed after disabling the cron job as a precautionary measure. [0] https://pagure.io/pagure/c/57975ef30641907947038b608017a9b721eb33fe [1] https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a [2] https://pagure.io/pagure/pull-request/4254 [3] https://nvd.nist.gov/vuln/detail/CVE-2019-7628 [4] https://pagure.io/pagure
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- CVE-2019-7628: Pagure version 5.2 leaks API keys by e-mail Randy Barlow (Feb 08)