CVE-2023-49947: 
NixOS vulnerability analysis and mitigation

Forgejo before version 1.20.5-1 contains a security vulnerability that allows 2FA (Two-Factor Authentication) bypass when using docker login with Basic Authentication. The vulnerability was discovered and disclosed on November 25, 2023, affecting all Forgejo installations prior to version 1.20.5-1 (Forgejo Advisory).

The vulnerability stems from a missing two-factor authentication verification in the API endpoint used by docker login when using basic authentication. While 2FA checks were implemented in three different locations, the verification was missing specifically for the docker login endpoint. The issue has been assigned a CVSS v3.1 base score of 7.5 HIGH with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating a high severity vulnerability (NVD).

When exploited, this vulnerability allows attackers to bypass the two-factor authentication requirement when using docker login with basic authentication, potentially compromising the security of protected resources that should require 2FA verification (Forgejo Advisory).

The vulnerability has been fixed in Forgejo version 1.20.5-1. The fix moves the 2FA check into the basic authentication process itself. Organizations running Forgejo installations are strongly recommended to upgrade to version 1.20.5-1 or later as soon as possible (Forgejo Advisory).

The Forgejo security team responsibly disclosed the vulnerability to both Gitea and Gogs teams on October 25, 2023. While initial fixes and tests were exchanged with the Gitea team, communication ceased after October 31, 2023. The Gogs developer was also notified but did not respond. As a result of this experience, Forgejo has implemented a new policy to provide advance warning of security releases (Forgejo Advisory).