CVE-2019-7628 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2019-7628 Interim 1 7 2025-02-17T02:15:39Z current 2021-05-30T14:24:31Z 2025-02-17T02:15:39Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2019-7628 Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Tumbleweed pagure-5.13.2-2.2 pagure-ci-5.13.2-2.2 pagure-ev-5.13.2-2.2 pagure-loadjson-5.13.2-2.2 pagure-logcom-5.13.2-2.2 pagure-milters-5.13.2-2.2 pagure-mirror-5.13.2-2.2 pagure-theme-chameleon-5.13.2-2.2 pagure-theme-default-openSUSE-5.13.2-2.2 pagure-theme-default-upstream-5.13.2-2.2 pagure-theme-pagureio-5.13.2-2.2 pagure-theme-srcfpo-5.13.2-2.2 pagure-theme-upstream-5.13.2-2.2 pagure-web-apache-httpd-5.13.2-2.2 pagure-web-nginx-5.13.2-2.2 pagure-webhook-5.13.2-2.2 pagure-5.13.2-2.2 as a component of openSUSE Tumbleweed pagure-ci-5.13.2-2.2 as a component of openSUSE Tumbleweed pagure-ev-5.13.2-2.2 as a component of openSUSE Tumbleweed pagure-loadjson-5.13.2-2.2 as a component of openSUSE Tumbleweed pagure-logcom-5.13.2-2.2 as a component of openSUSE Tumbleweed pagure-milters-5.13.2-2.2 as a component of openSUSE Tumbleweed pagure-mirror-5.13.2-2.2 as a component of openSUSE Tumbleweed pagure-theme-chameleon-5.13.2-2.2 as a component of openSUSE Tumbleweed pagure-theme-default-openSUSE-5.13.2-2.2 as a component of openSUSE Tumbleweed pagure-theme-default-upstream-5.13.2-2.2 as a component of openSUSE Tumbleweed pagure-theme-pagureio-5.13.2-2.2 as a component of openSUSE Tumbleweed pagure-theme-srcfpo-5.13.2-2.2 as a component of openSUSE Tumbleweed pagure-theme-upstream-5.13.2-2.2 as a component of openSUSE Tumbleweed pagure-web-apache-httpd-5.13.2-2.2 as a component of openSUSE Tumbleweed pagure-web-nginx-5.13.2-2.2 as a component of openSUSE Tumbleweed pagure-webhook-5.13.2-2.2 as a component of openSUSE Tumbleweed Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.) CVE-2019-7628 openSUSE Tumbleweed:pagure-5.13.2-2.2 openSUSE Tumbleweed:pagure-ci-5.13.2-2.2 openSUSE Tumbleweed:pagure-ev-5.13.2-2.2 openSUSE Tumbleweed:pagure-loadjson-5.13.2-2.2 openSUSE Tumbleweed:pagure-logcom-5.13.2-2.2 openSUSE Tumbleweed:pagure-milters-5.13.2-2.2 openSUSE Tumbleweed:pagure-mirror-5.13.2-2.2 openSUSE Tumbleweed:pagure-theme-chameleon-5.13.2-2.2 openSUSE Tumbleweed:pagure-theme-default-openSUSE-5.13.2-2.2 openSUSE Tumbleweed:pagure-theme-default-upstream-5.13.2-2.2 openSUSE Tumbleweed:pagure-theme-pagureio-5.13.2-2.2 openSUSE Tumbleweed:pagure-theme-srcfpo-5.13.2-2.2 openSUSE Tumbleweed:pagure-theme-upstream-5.13.2-2.2 openSUSE Tumbleweed:pagure-web-apache-httpd-5.13.2-2.2 openSUSE Tumbleweed:pagure-web-nginx-5.13.2-2.2 openSUSE Tumbleweed:pagure-webhook-5.13.2-2.2 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N