Headline
CVE-2023-49948: Forgejo Security Release 1.20.5-1
Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL.
Forgejo v1.20.5-1 was released 25 November 2023.
This release contains critical security fixes related to permissions enforcement of API endpoints.
This release also contains bug fixes, as detailed in the release notes.
Recommended Action
We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.
API and web endpoint vulnerable to manually crafted identifiers
Some API endpoints, such as adding a reaction to a comment, rely on an identifier unique to an object (a comment in this example). There are similar cases for web endpoints which are used by the Forgejo web interface.
The permissions required for the user performing the action on the repository are properly enforced. But a check was missing to ensure that the object (a comment in the example) also belongs to the repository the permissions are checked against. Without this check it is possible both to perform destructive actions and to access information in repositories unrelated to the request, including private ones.
API and web endpoints have been analysed, and those that were missing such a verification can be exploited by a malicious actor to:
- delete releases and tags
- delete and modify issues or pull requests comments
- reveal the content of issues or pull requests comments from private repositories
- perform other non-destructive actions such as creating issues, moving pinned issues, or obtaining deploy public keys
The vulnerable endpoints were fixed and tests written to verify the fix is effective.
docker login and 2FA
When using docker login to authenticate against a Forgejo instance using basic authentication, there needs to be an additional verification if 2FA is activated for the user. That verification was missing for the API endpoint used by docker login, thus bypassing 2FA.
Responsible disclosure to Gitea
On 25 October 2023 the Forgejo security team identified that multiple API and web endpoints were not protected against manually crafted identifiers, and the Gitea security team was notified. A 30-day embargo was requested, after which a patch to the v1.20 point release could be published. Further research from both Gitea and Forgejo teams in the following days revealed more vulnerabilities. Initial fixes and tests verifying they are effective were exchanged, but after their last email on 31 October 2023 the Gitea security team stopped responding. Given the severity of the vulnerability, the Forgejo security team asked again for feedback on 16 November 2023, but did not get any reply. Having exhausted all options for cooperation, the Forgejo security team completed the security fix on its own. The resulting fix which is published in this release was sent to the Gitea security team encrypted in its final version on 24 November 2023. At the time of publication, there was still no response from the Gitea security team.
Responsible disclosure to Gogs
The Gogs developer was notified of the vulnerability on 25 October 2023. There is no encrypted channel and only a terse but unambiguous message was sent. There has been no response.
Forgejo will give advance warning of security releases
Similar to what is done when a Go release contains a security fix, Forgejo will now publish advance warning of security releases. They will not reveal the details of the vulnerability but will allow Forgejo admins to plan ahead and better secure their instance. Anyone can watch to the dedicated tracker or subscribe to the RSS feed.
Gogs and Gitea upgrades to Forgejo
Gitea admins are reminded that Forgejo is a 100% compatible drop-in replacement for Gitea. It is enough to replace the Gitea binary or the container image with Forgejo and restart. No configuration modification is necessary. They are encouraged to choose that option to get this security fix as soon as possible.
In the absence of a security fix for Gogs, it is also possible to try and upgrade Gogs to Forgejo. Note however that such an upgrade will require manual intervention and configuration changes because the upgrade path has not been tested.
Contribute to Forgejo
If you have any feedback or suggestions for Forgejo, we’d love to hear from you! Open an issue on our issue tracker for feature requests or bug reports. You can also find us on the Fediverse, or drop by our Matrix space (main chat room) to say hi!