Vulnerability Description
In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Forgejo | Forgejo | < 1.20.5-1 |
Related Weaknesses (CWE)
References
- https://about.gitea.com/securityNot Applicable
- https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.mdRelease NotesVendor Advisory
- https://forgejo.org/2023-11-release-v1-20-5-1/Release NotesVendor Advisory
- https://github.com/gogs/gogs/securityNot Applicable
- https://about.gitea.com/securityNot Applicable
- https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.mdRelease NotesVendor Advisory
- https://forgejo.org/2023-11-release-v1-20-5-1/Release NotesVendor Advisory
- https://github.com/gogs/gogs/securityNot Applicable
FAQ
What is CVE-2023-49946?
CVE-2023-49946 is a vulnerability with a CVSS score of 9.1 (CRITICAL). In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read ...
How severe is CVE-2023-49946?
CVE-2023-49946 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-49946?
Check the references section above for vendor advisories and patch information. Affected products include: Forgejo Forgejo.