vulnerability
FreeBSD: VID-25a697de-bca1-11ef-8926-9b4f2d14eb53: forgejo -- unauthorized user impersonation
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | Dec 17, 2024 | Dec 19, 2024 | Dec 10, 2025 |
Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Published
Dec 17, 2024
Added
Dec 19, 2024
Modified
Dec 10, 2025
Description
Problem Description: When Forgejo is configured to run the internal ssh server with [server].START_SSH_SERVER=true, it was possible for a registered user to impersonate another user. The rootless container image uses the internal ssh server by default and was vulnerable. A Forgejo instance running from a binary or from a root container image does not use the internal ssh server by default and was not vulnerable. The incorrect use of the crypto package is the root cause of the vulnerability and was fixed for the internal ssh server. Revert "allow synchronizing user status from OAuth2 login providers"
Solution
freebsd-upgrade-package-forgejo
References
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.