http://bugzilla.opensuse.org/show_bug.cgi?id=1124762 Bug ID: 1124762 Summary: VUL-0: CVE-2019-7628: pagure: leaks API keys by e-mailing them to users Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: Other URL: https://smash.suse.de/issue/224413/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: ngompa13@gmail.com Reporter: rfrohl@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- CVE-2019-7628 Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.) References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-7628 https://pagure.io/pagure/pull-request/4254 https://pagure.io/pagure/issue/4253 https://pagure.io/pagure/issue/4252 https://pagure.io/pagure/issue/4230 https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a -- You are receiving this mail because: You are on the CC list for the bug.