{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/97512?format=json","vulnerability_id":"VCID-s2hw-9311-rqa2","summary":"Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable solution. (E-mailing a substring of the API key was an attempted, but rejected, solution.)","aliases":[{"alias":"CVE-2019-7628"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/121853?format=json","purl":"pkg:deb/debian/pagure@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/pagure@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/121852?format=json","purl":"pkg:deb/debian/pagure@5.11.3%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/pagure@5.11.3%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/121855?format=json","purl":"pkg:deb/debian/pagure@5.14.1%2Bdfsg-7?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/pagure@5.14.1%252Bdfsg-7%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/121854?format=json","purl":"pkg:deb/debian/pagure@5.14.1%2Bdfsg-8?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/pagure@5.14.1%252Bdfsg-8%3Fdistro=trixie"}],"affected_packages":[],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-7628","reference_id":"","reference_type":"","scores":[{"value":"0.002","scoring_system":"epss","scoring_elements":"0.41945","published_at":"2026-06-04T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.4202","published_at":"2026-06-05T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.4203","published_at":"2026-06-06T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42001","published_at":"2026-06-07T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.41966","published_at":"2026-06-08T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.41974","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-7628"}],"weaknesses":[],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s2hw-9311-rqa2"}