CVE-2023-49946: 
NixOS vulnerability analysis and mitigation

CVE-2023-49946 affects Forgejo versions before 1.20.5-1, where certain endpoints failed to verify if an object belongs to a repository for which permissions are being checked. The vulnerability was discovered and disclosed in November 2023 (Forgejo Release, NVD).

The vulnerability stems from a missing verification check in API and web endpoints. While the permissions required for users performing actions on repositories were properly enforced, the system failed to verify if the target object (such as comments, issues, or pull requests) belonged to the repository against which permissions were being checked. The vulnerability has a CVSS v3.1 Base Score of 9.1 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) (NVD).

The vulnerability allows remote attackers to perform unauthorized actions including: reading private issues and pull requests, deleting issues, accessing information in repositories unrelated to the request (including private ones), deleting releases and tags, modifying comments, and performing other non-destructive actions such as creating issues or obtaining deploy public keys (Forgejo Release).

The vulnerability was fixed in Forgejo version 1.20.5-1. It is strongly recommended that all Forgejo installations are upgraded to this version or later as soon as possible. The fix includes additional verification checks for API and web endpoints to ensure objects belong to the correct repository (Forgejo Release).

The Forgejo security team identified the vulnerability on October 25, 2023, and attempted responsible disclosure to both Gitea and Gogs teams. While initial fixes were exchanged with the Gitea team, communication ceased after October 31, 2023. The Gogs developer was notified but did not respond. As a result of this incident, Forgejo implemented a new policy to provide advance warning of security releases (Forgejo Release).