In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions.
References
Link | Resource |
---|---|
https://about.gitea.com/security | Not Applicable |
https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md | Release Notes Vendor Advisory |
https://forgejo.org/2023-11-release-v1-20-5-1/ | Release Notes Vendor Advisory |
https://github.com/gogs/gogs/security | Not Applicable |
Configurations
History
07 Dec 2023, 14:52
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-732 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.1 |
References | () https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md - Release Notes, Vendor Advisory | |
References | () https://forgejo.org/2023-11-release-v1-20-5-1/ - Release Notes, Vendor Advisory | |
References | () https://about.gitea.com/security - Not Applicable | |
References | () https://github.com/gogs/gogs/security - Not Applicable | |
CPE | cpe:2.3:a:forgejo:forgejo:*:*:*:*:*:*:*:* | |
First Time |
Forgejo
Forgejo forgejo |
03 Dec 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-12-03 19:15
Updated : 2024-02-28 20:54
NVD link : CVE-2023-49946
Mitre link : CVE-2023-49946
CVE.ORG link : CVE-2023-49946
JSON object : View
Products Affected
forgejo
- forgejo
CWE
CWE-732
Incorrect Permission Assignment for Critical Resource