CVE-2023-49946

Vulnerability

Forgejo versions before 1.20.5-1 contain a missing ownership check in certain API and web endpoints. These endpoints rely on object identifiers (e.g., comment IDs) but do not verify that the object belongs to the repository against which permissions are checked. This allows attackers to perform actions on objects in unrelated repositories, including private ones [1].

Exploitation

An attacker needs network access to the Forgejo instance and a valid user account (any level). By crafting requests with object identifiers from other repositories, the attacker can read or modify issues, pull requests, comments, releases, tags, and more, including those in private repositories. No special privileges beyond a basic account are required [1].

Impact

Successful exploitation leads to unauthorized information disclosure (reading private issues, pull requests, comments) and data integrity loss (deleting releases, tags, issues, comments). The attacker can also perform non-destructive actions like creating issues or moving pinned issues. The scope is cross-repository, affecting all repositories on the instance [1].

Mitigation

The vulnerability is fixed in Forgejo v1.20.5-1, released on 25 November 2023 [1]. Users are strongly recommended to upgrade immediately. No workarounds are mentioned. The fix includes additional verification and tests [1].