It was discovered that Pagure[4] sends full API tokens in e-mails that are intended to remind users that the tokens are expiring soon[3]. The vulnerability was introduced in 5.2[0]. There was a partial fix applied in [1], but that fix still leaked partial keys. At the time of this writing, a fix is proposed at [2]. There is not yet a released version of Pagure with a fix, but Pagure administrators can work around this issue by disabling the cron job. It may be wise to delete all API tokens that may have been e-mailed after disabling the cron job as a precautionary measure. [0] https://pagure.io/pagure/c/57975ef30641907947038b608017a9b721eb33fe [1] https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a [2] https://pagure.io/pagure/pull-request/4254 [3] https://nvd.nist.gov/vuln/detail/CVE-2019-7628 [4] https://pagure.io/pagure
To my knowledge, Pagure 5.2 is only included in Fedora Rawhide, Fedora 29, and EPEL 7 at the time of this writing. I used this URL to gather that information: https://apps.fedoraproject.org/packages/pagure
Fix: https://bodhi.fedoraproject.org/updates/FEDORA-2019-4e72b179e4