A vulnerability has been found in Forgejo up to 1.20.5 and classified as problematic. Affected by this vulnerability is an unknown code block of the component RSS Handler. The manipulation with an unknown input leads to a information exposure vulnerability. The CWE definition for the vulnerability is CWE-203. The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. As an impact it is known to affect confidentiality. The summary by CVE is:

Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL.

The weakness was published 12/04/2023 as d7408d8b0b04afd2a3c8e23cc908e7bd3849f34d. The advisory is shared at codeberg.org. This vulnerability is known as CVE-2023-49948 since 12/03/2023. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1592 for this issue.

Upgrading to version 1.20.5-1 eliminates this vulnerability. The upgrade is hosted for download at codeberg.org. Applying the patch d7408d8b0b04afd2a3c8e23cc908e7bd3849f34d is able to eliminate this problem. The bugfix is ready for download at codeberg.org. The best possible mitigation is suggested to be upgrading to the latest version.

Productinfo

Name

• Forgejo

Version

• 1.20.0
• 1.20.1
• 1.20.2
• 1.20.3
• 1.20.4
• 1.20.5

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion