RhodeCode Enterprise 2.2.7 Security Release

Published on February 12, 2015, by Sebastian


As part of our on-going efforts to keep our software stable and secure, we are informing our users today that our team discovered a security issue within the RhodeCode Enterprise API. We are releasing today RhodeCode Entprise 2.2.7 which fixes the security issue.

Vulnerability description

Users with both API and read access to a repository can obtain other users API keys (api_keys). The API methods listed below reveal the api_keys of the repository owner, or members of a particular User Group (user_group). The new release contains a security patch to obfuscate user API keys when these methods are used, as well as a few other improvements to the system.

  • get_repo
  • update_repo
  • get_locks
  • get_user_groups

These API methods don’t check if the caller has super-admin access and expose all repository details. This only applies if there is an existing user that already has access to the RhodeCode system.

The exposed data from an API call allows an attacker to obtain access to other users api_keys. If that user has administrator rights, the attacker could start using the obtained api_keys to change system parameters.

Upgrade to 2.2.7 Is Fixing Issue

Today we are releasing RhodeCode Enterprise 2.2.7 which contains an complete fix to that vulnerability. To expedite the adoption at our complete user base and to ensure a smooth upgrade we are offering free support to our full customer base, paying and non-paying.

Please contact us for assistance how to upgrade your RhodeCode Enterprise installation to the latest version 2.2.7

Additional Security Measures

System administrators are advised to reset or remove all existing API keys from the database. For users with the ishell command, you can use the following example reset after running paster ishell production.ini:

from rhodecode.lib.auth import generate_auth_token
for u in User.query().all():
    u.api_key = generate_auth_token(u.username)
    Session().add(u)
    Session().commit()

for auth_token in UserApiKeys.query().all():
    auth_token.api_key = generate_auth_token('hello')
    Session().add(auth_token)
    Session().commit()

For database access only, we advise running an update statement on those database tables:

update users set api_key='';
update user_api_keys set api_key='';

comments powered by Disqus