Redhat Pagure vulnerabilities

CVE-2024-4981 [HIGH] CWE-552 CVE-2024-4981: A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo.

CVE-2024-4982 [HIGH] CWE-22 CVE-2024-4982: A directory traversal vulnerability was discovered in Pagure server. If a malicious user submits a s A directory traversal vulnerability was discovered in Pagure server. If a malicious user submits a specially cratfted git repository they could discover secrets on the server.

CVE-2019-11556 [MEDIUM] CWE-79 CVE-2019-11556: Pagure before 5.6 allows XSS via the templates/blame.html blame view. Pagure before 5.6 allows XSS via the templates/blame.html blame view.

CVE-2019-7628 [MEDIUM] CWE-200 CVE-2019-7628: Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on behalf of other users. This issue is found in the API token expiration reminder cron job in files/api_key_expire_mail.py; disabling that job is also a viable

CVE-2017-1002151 [HIGH] CWE-285 CVE-2017-1002151: Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization