forgejo -- multiple vulnerabilities
Details
| VuXML ID |
6dcf6fc6-bca0-11ef-8926-9b4f2d14eb53 |
| Discovery |
2024-12-12 |
| Entry |
2024-12-17 |
Problem Description:
- When Forgejo is configured to run the internal ssh server with
[server].START_SSH_SERVER=true, it was possible for a registered user
to impersonate another user. The rootless container image uses the
internal ssh server by default and was vulnerable. A Forgejo
instance running from a binary or from a root container image does
not use the internal ssh server by default and was not vulnerable.
The incorrect use of the crypto package is the root cause of the
vulnerability and was fixed for the internal ssh server.
- Revert "allow synchronizing user status from OAuth2 login
providers"
References
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright
information.