Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
14 vulnerabilities found for pagure by redhat
CVE-2024-4982 (GCVE-0-2024-4982)
Vulnerability from nvd – Published: 2025-05-12 19:01 – Updated: 2025-05-12 19:16
VLAI?
Title
Pagure: path traversal in view_issue_raw_file()
Summary
A directory traversal vulnerability was discovered in Pagure server. If a malicious user submits a specially cratfted git repository they could discover secrets on the server.
Severity ?
7.6 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Date Public ?
2024-05-06 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4982",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T19:16:16.496352Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T19:16:28.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pagure.io/pagure",
"defaultStatus": "unaffected",
"packageName": "pagure",
"versions": [
{
"lessThan": "5.14.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-05-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A directory traversal vulnerability was discovered in Pagure server. If a malicious user submits a specially cratfted git repository they could discover secrets on the server."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T19:01:45.824Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-4982"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2279411"
},
{
"name": "RHBZ#2280726",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2280726"
},
{
"url": "https://pagure.io/pagure/c/c43844d23c919133fc983fe8c0f1dfb3b86e67d0"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-15T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-05-06T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Pagure: path traversal in view_issue_raw_file()",
"x_redhatCweChain": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-4982",
"datePublished": "2025-05-12T19:01:45.824Z",
"dateReserved": "2024-05-15T22:54:26.023Z",
"dateUpdated": "2025-05-12T19:16:28.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4981 (GCVE-0-2024-4981)
Vulnerability from nvd – Published: 2025-05-12 18:55 – Updated: 2025-05-12 19:05
VLAI?
Title
Pagure: _update_file_in_git() follows symbolic links in temporary clones
Summary
A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo.
Severity ?
7.6 (High)
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Date Public ?
2024-05-03 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4981",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T19:04:15.136644Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T19:05:43.641Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pagure.io/pagure",
"defaultStatus": "unaffected",
"packageName": "pagure",
"versions": [
{
"lessThan": "5.14.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-05-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T18:59:13.483Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-4981"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278745"
},
{
"name": "RHBZ#2280723",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2280723"
},
{
"url": "https://pagure.io/pagure/c/454f2677bc50d7176f07da9784882eb2176537f4"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-15T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-05-03T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Pagure: _update_file_in_git() follows symbolic links in temporary clones",
"x_redhatCweChain": "CWE-552: Files or Directories Accessible to External Parties"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-4981",
"datePublished": "2025-05-12T18:55:08.744Z",
"dateReserved": "2024-05-15T22:44:08.761Z",
"dateUpdated": "2025-05-12T19:05:43.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11556 (GCVE-0-2019-11556)
Vulnerability from nvd – Published: 2020-09-25 05:56 – Updated: 2024-08-04 22:55
VLAI?
Summary
Pagure before 5.6 allows XSS via the templates/blame.html blame view.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:40.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/commits/master"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.pagure.org/pagure/changelog.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pagure.io/pagure/c/31a0d2950ed409550074ca52ba492f9b87ec3318?branch=ab39e95ed4dc8367e5e146e6d9a9fa6925b75618"
},
{
"name": "openSUSE-SU-2020:1765",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00066.html"
},
{
"name": "openSUSE-SU-2020:1810",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pagure before 5.6 allows XSS via the templates/blame.html blame view."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-01T21:06:13.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/commits/master"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.pagure.org/pagure/changelog.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pagure.io/pagure/c/31a0d2950ed409550074ca52ba492f9b87ec3318?branch=ab39e95ed4dc8367e5e146e6d9a9fa6925b75618"
},
{
"name": "openSUSE-SU-2020:1765",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00066.html"
},
{
"name": "openSUSE-SU-2020:1810",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00007.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11556",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pagure before 5.6 allows XSS via the templates/blame.html blame view."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pagure.io/pagure/commits/master",
"refsource": "MISC",
"url": "https://pagure.io/pagure/commits/master"
},
{
"name": "https://docs.pagure.org/pagure/changelog.html",
"refsource": "CONFIRM",
"url": "https://docs.pagure.org/pagure/changelog.html"
},
{
"name": "https://pagure.io/pagure/c/31a0d2950ed409550074ca52ba492f9b87ec3318?branch=ab39e95ed4dc8367e5e146e6d9a9fa6925b75618",
"refsource": "CONFIRM",
"url": "https://pagure.io/pagure/c/31a0d2950ed409550074ca52ba492f9b87ec3318?branch=ab39e95ed4dc8367e5e146e6d9a9fa6925b75618"
},
{
"name": "openSUSE-SU-2020:1765",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00066.html"
},
{
"name": "openSUSE-SU-2020:1810",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00007.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11556",
"datePublished": "2020-09-25T05:56:42.000Z",
"dateReserved": "2019-04-26T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:55:40.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1000037 (GCVE-0-2016-1000037)
Vulnerability from nvd – Published: 2019-11-06 18:27 – Updated: 2024-08-06 03:47
VLAI?
Summary
Pagure: XSS possible in file attachment endpoint
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.824Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000037.json"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2016-1000037"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000037"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7EHB2WQ46M737B2STHQTOPTBSSQJDSS/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pagure: XSS possible in file attachment endpoint"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T18:27:55.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000037.json"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2016-1000037"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000037"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7EHB2WQ46M737B2STHQTOPTBSSQJDSS/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-1000037",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pagure: XSS possible in file attachment endpoint"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000037.json",
"refsource": "MISC",
"url": "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000037.json"
},
{
"name": "https://security-tracker.debian.org/tracker/CVE-2016-1000037",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2016-1000037"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000037",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000037"
},
{
"name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7EHB2WQ46M737B2STHQTOPTBSSQJDSS/",
"refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7EHB2WQ46M737B2STHQTOPTBSSQJDSS/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-1000037",
"datePublished": "2019-11-06T18:27:55.000Z",
"dateReserved": "2016-10-24T00:00:00.000Z",
"dateUpdated": "2024-08-06T03:47:34.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-7628 (GCVE-0-2019-7628)
Vulnerability from nvd – Published: 2019-02-08 03:00 – Updated: 2024-08-04 20:54
VLAI?
Summary
Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.)
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Date Public ?
2019-02-07 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:54:27.895Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/pull-request/4254"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/issue/4230"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/issue/4252"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/issue/4253"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-02-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-08T03:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/pull-request/4254"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/issue/4230"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/issue/4252"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/issue/4253"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-7628",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a",
"refsource": "MISC",
"url": "https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a"
},
{
"name": "https://pagure.io/pagure/pull-request/4254",
"refsource": "MISC",
"url": "https://pagure.io/pagure/pull-request/4254"
},
{
"name": "https://pagure.io/pagure/issue/4230",
"refsource": "MISC",
"url": "https://pagure.io/pagure/issue/4230"
},
{
"name": "https://pagure.io/pagure/issue/4252",
"refsource": "MISC",
"url": "https://pagure.io/pagure/issue/4252"
},
{
"name": "https://pagure.io/pagure/issue/4253",
"refsource": "MISC",
"url": "https://pagure.io/pagure/issue/4253"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-7628",
"datePublished": "2019-02-08T03:00:00.000Z",
"dateReserved": "2019-02-07T00:00:00.000Z",
"dateUpdated": "2024-08-04T20:54:27.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-1002151 (GCVE-0-2017-1002151)
Vulnerability from nvd – Published: 2017-09-14 13:00 – Updated: 2024-09-17 02:36
VLAI?
Summary
Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pagure Project | Pagure |
Affected:
unspecified , < 3.3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:08:11.500Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/pull-request/2426"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/c/c92108097e8ae4702c115ae4702b63d960838e75.patch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pagure",
"vendor": "Pagure Project",
"versions": [
{
"lessThan": "3.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"dateAssigned": "2017-07-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-14T13:00:00.000Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/pull-request/2426"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/c/c92108097e8ae4702c115ae4702b63d960838e75.patch"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "patrick@puiterwijk.org",
"DATE_ASSIGNED": "2017-07-22T15:12Z",
"ID": "CVE-2017-1002151",
"REQUESTER": "pingou@pingoured.fr",
"STATE": "PUBLIC",
"UPDATED": "2017-08-10T14:41Z"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pagure",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.3.0"
}
]
}
}
]
},
"vendor_name": "Pagure Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pagure.io/pagure/pull-request/2426",
"refsource": "MISC",
"url": "https://pagure.io/pagure/pull-request/2426"
},
{
"name": "https://pagure.io/pagure/c/c92108097e8ae4702c115ae4702b63d960838e75.patch",
"refsource": "MISC",
"url": "https://pagure.io/pagure/c/c92108097e8ae4702c115ae4702b63d960838e75.patch"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2017-1002151",
"datePublished": "2017-09-14T13:00:00.000Z",
"dateReserved": "2017-09-14T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:36:30.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1000007 (GCVE-0-2016-1000007)
Vulnerability from nvd – Published: 2016-10-07 18:00 – Updated: 2024-08-06 03:47
VLAI?
Summary
Pagure 2.2.1 XSS in raw file endpoint
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2016-07-04 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.891Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/c/070d63983fe5daef92005ea33d3b8c693c224c77.patch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-07-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Pagure 2.2.1 XSS in raw file endpoint"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-10-07T17:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/c/070d63983fe5daef92005ea33d3b8c693c224c77.patch"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-1000007",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pagure 2.2.1 XSS in raw file endpoint"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pagure.io/pagure/c/070d63983fe5daef92005ea33d3b8c693c224c77.patch",
"refsource": "MISC",
"url": "https://pagure.io/pagure/c/070d63983fe5daef92005ea33d3b8c693c224c77.patch"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-1000007",
"datePublished": "2016-10-07T18:00:00.000Z",
"dateReserved": "2016-07-05T00:00:00.000Z",
"dateUpdated": "2024-08-06T03:47:34.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4982 (GCVE-0-2024-4982)
Vulnerability from cvelistv5 – Published: 2025-05-12 19:01 – Updated: 2025-05-12 19:16
VLAI?
Title
Pagure: path traversal in view_issue_raw_file()
Summary
A directory traversal vulnerability was discovered in Pagure server. If a malicious user submits a specially cratfted git repository they could discover secrets on the server.
Severity ?
7.6 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Date Public ?
2024-05-06 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4982",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T19:16:16.496352Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T19:16:28.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pagure.io/pagure",
"defaultStatus": "unaffected",
"packageName": "pagure",
"versions": [
{
"lessThan": "5.14.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-05-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A directory traversal vulnerability was discovered in Pagure server. If a malicious user submits a specially cratfted git repository they could discover secrets on the server."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T19:01:45.824Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-4982"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2279411"
},
{
"name": "RHBZ#2280726",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2280726"
},
{
"url": "https://pagure.io/pagure/c/c43844d23c919133fc983fe8c0f1dfb3b86e67d0"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-15T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-05-06T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Pagure: path traversal in view_issue_raw_file()",
"x_redhatCweChain": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-4982",
"datePublished": "2025-05-12T19:01:45.824Z",
"dateReserved": "2024-05-15T22:54:26.023Z",
"dateUpdated": "2025-05-12T19:16:28.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4981 (GCVE-0-2024-4981)
Vulnerability from cvelistv5 – Published: 2025-05-12 18:55 – Updated: 2025-05-12 19:05
VLAI?
Title
Pagure: _update_file_in_git() follows symbolic links in temporary clones
Summary
A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo.
Severity ?
7.6 (High)
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Date Public ?
2024-05-03 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4981",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T19:04:15.136644Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T19:05:43.641Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pagure.io/pagure",
"defaultStatus": "unaffected",
"packageName": "pagure",
"versions": [
{
"lessThan": "5.14.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-05-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T18:59:13.483Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-4981"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278745"
},
{
"name": "RHBZ#2280723",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2280723"
},
{
"url": "https://pagure.io/pagure/c/454f2677bc50d7176f07da9784882eb2176537f4"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-15T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-05-03T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Pagure: _update_file_in_git() follows symbolic links in temporary clones",
"x_redhatCweChain": "CWE-552: Files or Directories Accessible to External Parties"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-4981",
"datePublished": "2025-05-12T18:55:08.744Z",
"dateReserved": "2024-05-15T22:44:08.761Z",
"dateUpdated": "2025-05-12T19:05:43.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11556 (GCVE-0-2019-11556)
Vulnerability from cvelistv5 – Published: 2020-09-25 05:56 – Updated: 2024-08-04 22:55
VLAI?
Summary
Pagure before 5.6 allows XSS via the templates/blame.html blame view.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:40.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/commits/master"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.pagure.org/pagure/changelog.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pagure.io/pagure/c/31a0d2950ed409550074ca52ba492f9b87ec3318?branch=ab39e95ed4dc8367e5e146e6d9a9fa6925b75618"
},
{
"name": "openSUSE-SU-2020:1765",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00066.html"
},
{
"name": "openSUSE-SU-2020:1810",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pagure before 5.6 allows XSS via the templates/blame.html blame view."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-01T21:06:13.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/commits/master"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.pagure.org/pagure/changelog.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pagure.io/pagure/c/31a0d2950ed409550074ca52ba492f9b87ec3318?branch=ab39e95ed4dc8367e5e146e6d9a9fa6925b75618"
},
{
"name": "openSUSE-SU-2020:1765",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00066.html"
},
{
"name": "openSUSE-SU-2020:1810",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00007.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11556",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pagure before 5.6 allows XSS via the templates/blame.html blame view."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pagure.io/pagure/commits/master",
"refsource": "MISC",
"url": "https://pagure.io/pagure/commits/master"
},
{
"name": "https://docs.pagure.org/pagure/changelog.html",
"refsource": "CONFIRM",
"url": "https://docs.pagure.org/pagure/changelog.html"
},
{
"name": "https://pagure.io/pagure/c/31a0d2950ed409550074ca52ba492f9b87ec3318?branch=ab39e95ed4dc8367e5e146e6d9a9fa6925b75618",
"refsource": "CONFIRM",
"url": "https://pagure.io/pagure/c/31a0d2950ed409550074ca52ba492f9b87ec3318?branch=ab39e95ed4dc8367e5e146e6d9a9fa6925b75618"
},
{
"name": "openSUSE-SU-2020:1765",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00066.html"
},
{
"name": "openSUSE-SU-2020:1810",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00007.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11556",
"datePublished": "2020-09-25T05:56:42.000Z",
"dateReserved": "2019-04-26T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:55:40.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1000037 (GCVE-0-2016-1000037)
Vulnerability from cvelistv5 – Published: 2019-11-06 18:27 – Updated: 2024-08-06 03:47
VLAI?
Summary
Pagure: XSS possible in file attachment endpoint
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.824Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000037.json"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2016-1000037"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000037"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7EHB2WQ46M737B2STHQTOPTBSSQJDSS/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pagure: XSS possible in file attachment endpoint"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-06T18:27:55.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000037.json"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2016-1000037"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000037"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7EHB2WQ46M737B2STHQTOPTBSSQJDSS/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-1000037",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pagure: XSS possible in file attachment endpoint"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000037.json",
"refsource": "MISC",
"url": "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000037.json"
},
{
"name": "https://security-tracker.debian.org/tracker/CVE-2016-1000037",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2016-1000037"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000037",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000037"
},
{
"name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7EHB2WQ46M737B2STHQTOPTBSSQJDSS/",
"refsource": "MISC",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7EHB2WQ46M737B2STHQTOPTBSSQJDSS/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-1000037",
"datePublished": "2019-11-06T18:27:55.000Z",
"dateReserved": "2016-10-24T00:00:00.000Z",
"dateUpdated": "2024-08-06T03:47:34.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-7628 (GCVE-0-2019-7628)
Vulnerability from cvelistv5 – Published: 2019-02-08 03:00 – Updated: 2024-08-04 20:54
VLAI?
Summary
Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.)
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Date Public ?
2019-02-07 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:54:27.895Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/pull-request/4254"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/issue/4230"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/issue/4252"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/issue/4253"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-02-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-08T03:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/pull-request/4254"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/issue/4230"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/issue/4252"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/issue/4253"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-7628",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a",
"refsource": "MISC",
"url": "https://pagure.io/pagure/c/9905fb1e64341822366b6ab1d414d2baa230af0a"
},
{
"name": "https://pagure.io/pagure/pull-request/4254",
"refsource": "MISC",
"url": "https://pagure.io/pagure/pull-request/4254"
},
{
"name": "https://pagure.io/pagure/issue/4230",
"refsource": "MISC",
"url": "https://pagure.io/pagure/issue/4230"
},
{
"name": "https://pagure.io/pagure/issue/4252",
"refsource": "MISC",
"url": "https://pagure.io/pagure/issue/4252"
},
{
"name": "https://pagure.io/pagure/issue/4253",
"refsource": "MISC",
"url": "https://pagure.io/pagure/issue/4253"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-7628",
"datePublished": "2019-02-08T03:00:00.000Z",
"dateReserved": "2019-02-07T00:00:00.000Z",
"dateUpdated": "2024-08-04T20:54:27.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-1002151 (GCVE-0-2017-1002151)
Vulnerability from cvelistv5 – Published: 2017-09-14 13:00 – Updated: 2024-09-17 02:36
VLAI?
Summary
Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pagure Project | Pagure |
Affected:
unspecified , < 3.3.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:08:11.500Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/pull-request/2426"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/c/c92108097e8ae4702c115ae4702b63d960838e75.patch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pagure",
"vendor": "Pagure Project",
"versions": [
{
"lessThan": "3.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"dateAssigned": "2017-07-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-14T13:00:00.000Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/pull-request/2426"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/c/c92108097e8ae4702c115ae4702b63d960838e75.patch"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "patrick@puiterwijk.org",
"DATE_ASSIGNED": "2017-07-22T15:12Z",
"ID": "CVE-2017-1002151",
"REQUESTER": "pingou@pingoured.fr",
"STATE": "PUBLIC",
"UPDATED": "2017-08-10T14:41Z"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pagure",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.3.0"
}
]
}
}
]
},
"vendor_name": "Pagure Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pagure.io/pagure/pull-request/2426",
"refsource": "MISC",
"url": "https://pagure.io/pagure/pull-request/2426"
},
{
"name": "https://pagure.io/pagure/c/c92108097e8ae4702c115ae4702b63d960838e75.patch",
"refsource": "MISC",
"url": "https://pagure.io/pagure/c/c92108097e8ae4702c115ae4702b63d960838e75.patch"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2017-1002151",
"datePublished": "2017-09-14T13:00:00.000Z",
"dateReserved": "2017-09-14T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:36:30.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1000007 (GCVE-0-2016-1000007)
Vulnerability from cvelistv5 – Published: 2016-10-07 18:00 – Updated: 2024-08-06 03:47
VLAI?
Summary
Pagure 2.2.1 XSS in raw file endpoint
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2016-07-04 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:47:34.891Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pagure.io/pagure/c/070d63983fe5daef92005ea33d3b8c693c224c77.patch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-07-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Pagure 2.2.1 XSS in raw file endpoint"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-10-07T17:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pagure.io/pagure/c/070d63983fe5daef92005ea33d3b8c693c224c77.patch"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-1000007",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pagure 2.2.1 XSS in raw file endpoint"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pagure.io/pagure/c/070d63983fe5daef92005ea33d3b8c693c224c77.patch",
"refsource": "MISC",
"url": "https://pagure.io/pagure/c/070d63983fe5daef92005ea33d3b8c693c224c77.patch"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-1000007",
"datePublished": "2016-10-07T18:00:00.000Z",
"dateReserved": "2016-07-05T00:00:00.000Z",
"dateUpdated": "2024-08-06T03:47:34.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}