CVE-2023-49948: 
NixOS vulnerability analysis and mitigation

Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL (NVD). The vulnerability was discovered and disclosed on December 3, 2023, affecting all versions of Forgejo prior to version 1.20.5-1.

The vulnerability has a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD). The issue stems from insufficient validation when handling URL extensions, allowing unauthorized access to information about private user accounts through specially crafted URLs.

The vulnerability allows remote attackers to determine the existence of private user accounts on the system by simply appending extensions like .rss to URLs. This information disclosure could be used for reconnaissance and potentially lead to more targeted attacks (Forgejo Release Notes).

The vulnerability was fixed in Forgejo version 1.20.5-1. System administrators are strongly recommended to upgrade to this version or later as soon as possible. The fix includes proper validation of URL extensions and improved access controls (Forgejo Release Notes).