Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 10 Feb 2015 23:32:57 +0100
From: Andrew Shadura <>
Subject: CVE-2015-0260: Kallithea: API key of repository's creator exposed
 by get_repo API method


We have recently discovered a security issue in Kallithea [0].
API key of repository's creator is exposed by get_repo API method.


A vulnerability has been found in Kallithea, allowing remote attacker to gain
access to the repositories with privileges of another existing user.


The get_repo API method doesn't check the identity of the caller and exposes
all details about the repository "followers" regardless of whether they have
access to such data or not.

The structures returned by this method contain such sensitive information as
last login timestamp, IP addresses, authentication method details and private
API access keys:

    "followers": [
            "active": true,
            "admin": true,
            "api_key": "f5****9c",
            "api_keys": [
            "email": "",
            "emails": [
            "extern_name": "username",
            "extern_type": "pam",
            "firstname": "User",
            "ip_addresses": [],
            "last_login": "2015-02-08T18:17:39",
            "lastname": "Name",
            "user_id": 3,
            "username": "username"


The exposed information allows attacker to track users and gain access to the
repositories using their API keys. In the case the user also has administrator
rights, it is possible for the attacker to gain full administrator access to
the Kallithea instance.


Users are advised to remove the API controller to prevent potential attackers
from accessing the API. This can be achieved by deleting or commenting out
lines 458-460 in kallithea/config/ An alternative to that may be
blocking or limiting access to /_admin/api URLs in the configuration of the
webserver or a front-end reverse proxy.

A patch to remove API controller may look like this:

    diff --git a/kallithea/config/ b/kallithea/config/
    --- a/kallithea/config/
    +++ b/kallithea/config/
    @@ -455,9 +455,6 @@ def make_map(config):
         # API V2
    -    with rmap.submapper(path_prefix=ADMIN_PREFIX,
    -                        controller='api/api') as m:
    -        m.connect('api', '/api')
         #USER JOURNAL
         rmap.connect('journal', '%s/journal' % ADMIN_PREFIX,


Kallithea project has released a patch fixing this issue by removing the
sensitive information from API calls. It is strongly recommended that users
apply this patch. The patch applies to both 0.1 release and the latest
Mercurial tip.

Unfortunately, this patch disables some API functionality where the information
exposure occured. We will continue seeking a solution which prevents unauthorised
access and at the time doesn't break existing API functionality. As soon
as such solution is developed, we'll notify our users.

Users are also advised to re-set or remove all existing API keys from the
database. For the users having SQLite or PostgreSQL as the database backend
a possible way to do so is to run the following SQL statements:

    update users set api_key='disabled-'||random();
    update user_api_keys set api_key='disabled-'||random();

Affected versions

The issue is currenly present in all available Kallithea versions. Also,
the issue affects publicly available versions of RhodeCode that support
JSON-RPC API interface.


[0] Kallithea Project

[1] CVE-2015-0260

[2] Kallithea: Security Notice CVE-2015-0260

[2] Patch for the issue

[3] Mercurial changeset fixing the issue

  Andrew Shadura
  on behalf of Kallithea Security Team

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.