Forgejo v1.20.6-0 was released 28 November 2023.
This release contains a security fix related to permissions enforcement of API endpoints.
We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.
See the Forgejo v1.20.5-1 blog post for a detailed explanation on this kind of vulnerability.
- get the public key of a user
- get a release or a release attachment
- get OAuth2 applications (except for the secret)
Fixes were written for the vulnerable endpoints but not thoroughly tested.
The complete list of identified vulnerabilities was communicated by the Forgejo security team to Gitea on 5 November 2023 and the final version of the patch fixing all of them was sent on 24 November 2023, via encrypted email. In addition, two PRs (for v1.20 and v1.21) were sent to Gitea on 25 November 2023 prior to the announcement of the Forgejo release to help fast track a stable point release.
On 25 November 2023, shortly after the release, additional vulnerabilities were revealed publicly in contradiction with the Gitea and Forgejo security policies as well as the general principles of responsible disclosure.
This unfortunate incident forced the immediate preparation of this Forgejo patch release. With no advance warning it only allowed for limited testing and there is a non negligible risk of a regression.
In such a situation the Forgejo admins and users are suffering the consequences, either because they are left unecessarily exposed to publicly known vulnerabilities or because their instance may run into regressions due to insufficient preparation time and testing.
If you have any feedback or suggestions for Forgejo, we’d love to hear from you! Open an issue on our issue tracker for feature requests or bug reports. You can also find us on the Fediverse, or drop by our Matrix space (main chat room) to say hi!