CVE-2023-49948

Vulnerability

Forgejo versions prior to 1.20.5-1 contain an information disclosure vulnerability where remote attackers can test for the existence of private user accounts by appending .rss (or another extension) to a URL. This occurs because the endpoint does not properly enforce access controls, allowing unauthenticated users to probe for accounts. Affected versions include all releases before 1.20.5-1 [1].

Exploitation

An attacker with network access to a Forgejo instance can craft a URL by appending an extension like .rss to a potential username. No authentication is required; the attacker simply observes the response (e.g., a 200 vs 404 status) to determine whether the account exists [1].

Impact

Successful exploitation reveals the existence of private user accounts, which may aid in further targeted attacks or social engineering. The vulnerability only leaks account presence, not sensitive content or credentials, but it violates the intended privacy of user visibility settings [1].

Mitigation

Forgejo version 1.20.5-1, released 25 November 2023, fixes this issue by enforcing proper access controls on the affected endpoints. Users should upgrade to this version or later as soon as possible [1]. No workaround is available for older versions.