Bug 1673983 (CVE-2019-7628)

Summary: CVE-2019-7628 pagure: version 5.2 leaks API keys by e-mail
Product: [Other] Security Response Reporter: Randy Barlow <rbarlow>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bruno, ngompa13, pingou, vivekanand1101
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pagure 5.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1673984 1673985 1673986 (view as bug list) Environment:
Last Closed: 2019-04-11 14:56:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1673984, 1673985, 1673986    
Bug Blocks:    

Description Randy Barlow 2019-02-08 16:16:05 UTC 
It was discovered that Pagure[4] sends full API tokens in e-mails 
that are intended to remind users that the tokens are expiring soon[3].
The vulnerability was introduced in 5.2[0]. There was a partial fix
applied in [1], but that fix still leaked partial keys.

At the time of this writing, a fix is proposed at [2].

There is not yet a released version of Pagure with a fix, but Pagure
administrators can work around this issue by disabling the cron job. It
may be wise to delete all API tokens that may have been e-mailed after
disabling the cron job as a precautionary measure.


[0] https://pagure.io/pagure/c/57975ef30641907947038b608017a9b721eb33fe
[1] https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a
[2] https://pagure.io/pagure/pull-request/4254
[3] https://nvd.nist.gov/vuln/detail/CVE-2019-7628
[4] https://pagure.io/pagure
Comment 1 Randy Barlow 2019-02-08 16:21:46 UTC 
To my knowledge, Pagure 5.2 is only included in Fedora Rawhide, Fedora 29, and EPEL 7 at the time of this writing. I used this URL to gather that information:

https://apps.fedoraproject.org/packages/pagure
Comment 2 msiddiqu 2021-08-24 10:51:14 UTC 
Fix: https://bodhi.fedoraproject.org/updates/FEDORA-2019-4e72b179e4