CVE-2019-7628

Name of the Vulnerable Software and Affected Versions Pagure version 5.2

Description The issue allows for the leakage of API keys via email, which can be intercepted by man-in-the-middle attackers due to the lack of TLS certificate validation on many email servers. This can lead to unauthorized access to Pagure on behalf of other users. The problem is specifically found in the API token expiration reminder cron job, located in the files/api key expire mail.py file.

Recommendations For Pagure version 5.2, consider disabling the API token expiration reminder cron job as a temporary workaround to prevent API key leakage.