Vulnerabilities Discovered in Forgejo Following Carrot Disclosure

Severity: Medium (Score: 54.9)

Sources: News.Ycombinator, forgejo.org, codeberg.org

Summary

A security researcher identified multiple vulnerabilities in Forgejo, a software platform used by Fedora, including SSRF, cryptographic issues, and authentication flaws. The researcher was able to chain these vulnerabilities to achieve remote code execution (RCE) and other exploits, although the RCE relies on non-default configurations. The researcher opted for a 'Carrot Disclosure' approach, publishing a redacted exploit to encourage Forgejo to improve its security posture. Following this disclosure, the researcher engaged in discussions with Forgejo's security team, providing recommendations and proof-of-concept exploits. The situation remains dynamic as Forgejo's response is awaited. Key Points: • Multiple vulnerabilities, including SSRF and RCE, found in Forgejo. • Researcher used 'Carrot Disclosure' to incentivize security improvements. • Forgejo's response to the disclosure is currently pending.

Key Entities

• DDoS (attack_type)
• Forgejo (company)
• CWE-200 - Exposure of Sensitive Information (cwe)
• CWE-269 - Improper Privilege Management (cwe)
• Cwe-362 - Race Condition (cwe)
• forgejo.org (domain)
• Gitea (platform)
• SSRF (vulnerability)