CVE-2019-7628
Last modified
CVE-2019-7628 is a vulnerability of currently unknown severity. Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. EPSS estimates a 0.90% chance of exploitation in the next 30 days.
Description
Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.)
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Pagure | 5.2 |
References
- https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0aIssue Tracking, Patch, Vendor Advisory
- https://pagure.io/pagure/issue/4230Issue Tracking, Patch, Vendor Advisory
- https://pagure.io/pagure/issue/4252Broken Link
- https://pagure.io/pagure/issue/4253Broken Link
- https://pagure.io/pagure/pull-request/4254Issue Tracking, Patch, Vendor Advisory
- https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0aIssue Tracking, Patch, Vendor Advisory
- https://pagure.io/pagure/issue/4230Issue Tracking, Patch, Vendor Advisory
- https://pagure.io/pagure/issue/4252Broken Link
- https://pagure.io/pagure/issue/4253Broken Link
- https://pagure.io/pagure/pull-request/4254Issue Tracking, Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-7628?
How severe is CVE-2019-7628?
How do I fix CVE-2019-7628?
Are you affected by CVE-2019-7628?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST