|
Lines 1-3
Link Here
|
|
|
1 |
<vuln vid="38e6f778-bca3-11ef-8926-9b4f2d14eb53"> |
| 2 |
<topic>gitea -- Fix misuse of PublicKeyCallback</topic> |
| 3 |
<affects> |
| 4 |
<package> |
| 5 |
<name>gitea</name> |
| 6 |
<range><lt>1.22.6</lt></range> |
| 7 |
</package> |
| 8 |
</affects> |
| 9 |
<description> |
| 10 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 11 |
<h1>Problem Description:</h1> |
| 12 |
<ul> |
| 13 |
<li>Misuse of ServerConfig.PublicKeyCallback may cause authorization |
| 14 |
bypass in golang.org/x/crypto</li> |
| 15 |
</ul> |
| 16 |
</body> |
| 17 |
</description> |
| 18 |
<references> |
| 19 |
<url>https://github.com/go-gitea/gitea/pull/32810</url> |
| 20 |
<url>https://github.com/advisories/GHSA-v778-237x-gjrc</url> |
| 21 |
</references> |
| 22 |
<dates> |
| 23 |
<discovery>2024-12-12</discovery> |
| 24 |
<entry>2024-12-17</entry> |
| 25 |
</dates> |
| 26 |
</vuln> |
| 27 |
|
| 28 |
<vuln vid="453cd84e-bca4-11ef-8926-9b4f2d14eb53"> |
| 29 |
<topic>gitea -- multiple vulnerabilities</topic> |
| 30 |
<affects> |
| 31 |
<package> |
| 32 |
<name>gitea</name> |
| 33 |
<range><lt>1.22.5</lt></range> |
| 34 |
</package> |
| 35 |
</affects> |
| 36 |
<description> |
| 37 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 38 |
<h1>Problem Description:</h1> |
| 39 |
<ul> |
| 40 |
<li>Fix delete branch perm checking</li> |
| 41 |
<li>Upgrade crypto library</li> |
| 42 |
</ul> |
| 43 |
</body> |
| 44 |
</description> |
| 45 |
<references> |
| 46 |
<url>https://github.com/go-gitea/gitea/pull/32791</url> |
| 47 |
<url>https://github.com/go-gitea/gitea/pull/32654</url> |
| 48 |
</references> |
| 49 |
<dates> |
| 50 |
<discovery>2024-11-27</discovery> |
| 51 |
<entry>2024-12-17</entry> |
| 52 |
</dates> |
| 53 |
</vuln> |
| 54 |
|
| 55 |
<vuln vid="6ea20f0c-bca3-11ef-8926-9b4f2d14eb53"> |
| 56 |
<topic>gitea -- multiple vulnerabilities</topic> |
| 57 |
<affects> |
| 58 |
<package> |
| 59 |
<name>gitea</name> |
| 60 |
<range><lt>1.22.4</lt></range> |
| 61 |
</package> |
| 62 |
</affects> |
| 63 |
<description> |
| 64 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 65 |
<h1>Problem Description:</h1> |
| 66 |
<ul> |
| 67 |
<li>Fix basic auth with webauthn</li> |
| 68 |
<li>Refactor internal routers (partial backport, auth token const time comparing)</li> |
| 69 |
</ul> |
| 70 |
</body> |
| 71 |
</description> |
| 72 |
<references> |
| 73 |
<url>https://github.com/go-gitea/gitea/pull/32531</url> |
| 74 |
<url>https://github.com/go-gitea/gitea/pull/32473</url> |
| 75 |
</references> |
| 76 |
<dates> |
| 77 |
<discovery>2024-11-16</discovery> |
| 78 |
<entry>2024-12-17</entry> |
| 79 |
</dates> |
| 80 |
</vuln> |
| 81 |
|
| 82 |
<vuln vid="5ca064a6-bca1-11ef-8926-9b4f2d14eb53"> |
| 83 |
<topic>forgejo -- multiple vulnerabilities</topic> |
| 84 |
<affects> |
| 85 |
<package> |
| 86 |
<name>forgejo</name> |
| 87 |
<range><lt>9.0.2</lt></range> |
| 88 |
<package> |
| 89 |
<name>forgejo</name> |
| 90 |
<range><lt>7.0.11</lt></range> |
| 91 |
</package> |
| 92 |
</package> |
| 93 |
</affects> |
| 94 |
<description> |
| 95 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 96 |
<h1>Problem Description:</h1> |
| 97 |
<ul> |
| 98 |
<li>It was possible to use a token sent via email for secondary email validation to reset the password instead. In other words, a token sent for a given action (registration, password reset or secondary email validation) could be used to perform a different action. It is no longer possible to use a token for an action that is different from its original purpose.</li> |
| 99 |
<li>A fork of a public repository would show in the list of forks, even if its owner was not a public user or organization. Such a fork is now hidden from the list of forks of the public repository.</li> |
| 100 |
<li>The members of an organization team with read access to a repository (e.g. to read issues) but no read access to the code could read the RSS or atom feeds which include the commit activity. Reading the RSS or atom feeds is now denied unless the team has read permissions on the code.</li> |
| 101 |
<li>The tokens used when replying by email to issues or pull requests were weaker than the rfc2104 recommendations. The tokens are now truncated to 128 bits instead of 80 bits. It is no longer possible to reply to emails sent before the upgrade because the weaker tokens are invalid.</li> |
| 102 |
<li>A registered user could modify the update frequency of any push mirror (e.g. every 4h instead of every 8h). They are now only able to do that if they have administrative permissions on the repository.</li> |
| 103 |
<li>It was possible to use basic authorization (i.e. user:password) for requests to the API even when security keys were enrolled for a user. It is no longer possible, an application token must be used instead.</li> |
| 104 |
<li>Some markup sanitation rules were not as strong as they could be (e.g. allowing emoji somethingelse as well as emoji). The rules are now stricter and do not allow for such cases.</li> |
| 105 |
<li>When Forgejo is configured to enable instance wide search (e.g. with bleve), results found in the repositories of private or limited users were displayed to anonymous visitors. The results found in private or limited organizations were not displayed. The search results found in the repositories of private or limited user are no longer displayed to anonymous visitors.</li> |
| 106 |
</ul> |
| 107 |
</body> |
| 108 |
</description> |
| 109 |
<references> |
| 110 |
<url>https://codeberg.org/forgejo/forgejo/pulls/5974</url> |
| 111 |
<url>https://codeberg.org/forgejo/forgejo/pulls/5974</url> |
| 112 |
<url>https://codeberg.org/forgejo/forgejo/pulls/5974</url> |
| 113 |
<url>https://codeberg.org/forgejo/forgejo/pulls/5974</url> |
| 114 |
<url>https://codeberg.org/forgejo/forgejo/pulls/5974</url> |
| 115 |
<url>https://codeberg.org/forgejo/forgejo/pulls/5974</url> |
| 116 |
<url>https://codeberg.org/forgejo/forgejo/pulls/5974</url> |
| 117 |
<url>https://codeberg.org/forgejo/forgejo/pulls/5974</url> |
| 118 |
</references> |
| 119 |
<dates> |
| 120 |
<discovery>2024-12-12</discovery> |
| 121 |
<entry>2024-12-17</entry> |
| 122 |
</dates> |
| 123 |
</vuln> |
| 124 |
|
| 125 |
<vuln vid="25a697de-bca1-11ef-8926-9b4f2d14eb53"> |
| 126 |
<topic>forgejo -- unauthorized user impersonation</topic> |
| 127 |
<affects> |
| 128 |
<package> |
| 129 |
<name>forgejo</name> |
| 130 |
<range><lt>7.0.12</lt></range> |
| 131 |
</package> |
| 132 |
</affects> |
| 133 |
<description> |
| 134 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 135 |
<h1>Problem Description:</h1> |
| 136 |
<ul> |
| 137 |
<li>When Forgejo is configured to run the internal ssh server with |
| 138 |
[server].START_SSH_SERVER=true, it was possible for a registered user |
| 139 |
to impersonate another user. The rootless container image uses the |
| 140 |
internal ssh server by default and was vulnerable. A Forgejo |
| 141 |
instance running from a binary or from a root container image does |
| 142 |
not use the internal ssh server by default and was not vulnerable. |
| 143 |
The incorrect use of the crypto package is the root cause of the |
| 144 |
vulnerability and was fixed for the internal ssh server.</li> |
| 145 |
<li>Revert "allow synchronizing user status from OAuth2 login |
| 146 |
providers"</li> |
| 147 |
</ul> |
| 148 |
</body> |
| 149 |
</description> |
| 150 |
<references> |
| 151 |
<url>https://codeberg.org/forgejo/forgejo/pulls/6248</url> |
| 152 |
</references> |
| 153 |
<dates> |
| 154 |
<discovery>2024-12-12</discovery> |
| 155 |
<entry>2024-12-17</entry> |
| 156 |
</dates> |
| 157 |
</vuln> |
| 158 |
|
| 159 |
<vuln vid="6dcf6fc6-bca0-11ef-8926-9b4f2d14eb53"> |
| 160 |
<topic>forgejo -- multiple vulnerabilities</topic> |
| 161 |
<affects> |
| 162 |
<package> |
| 163 |
<name>forgejo</name> |
| 164 |
<range><lt>9.0.3</lt></range> |
| 165 |
</package> |
| 166 |
</affects> |
| 167 |
<description> |
| 168 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 169 |
<h1>Problem Description:</h1> |
| 170 |
<ul> |
| 171 |
<li>When Forgejo is configured to run the internal ssh server with |
| 172 |
[server].START_SSH_SERVER=true, it was possible for a registered user |
| 173 |
to impersonate another user. The rootless container image uses the |
| 174 |
internal ssh server by default and was vulnerable. A Forgejo |
| 175 |
instance running from a binary or from a root container image does |
| 176 |
not use the internal ssh server by default and was not vulnerable. |
| 177 |
The incorrect use of the crypto package is the root cause of the |
| 178 |
vulnerability and was fixed for the internal ssh server.</li> |
| 179 |
<li>Revert "allow synchronizing user status from OAuth2 login |
| 180 |
providers"</li> |
| 181 |
</ul> |
| 182 |
</body> |
| 183 |
</description> |
| 184 |
<references> |
| 185 |
<url>https://codeberg.org/forgejo/forgejo/pulls/6248</url> |
| 186 |
<url>https://codeberg.org/forgejo/forgejo/pulls/6249</url> |
| 187 |
</references> |
| 188 |
<dates> |
| 189 |
<discovery>2024-12-12</discovery> |
| 190 |
<entry>2024-12-17</entry> |
| 191 |
</dates> |
| 192 |
</vuln> |
| 193 |
|
| 1 |
<vuln vid="71f3e9f0-bafc-11ef-885d-901b0e934d69"> |
194 |
<vuln vid="71f3e9f0-bafc-11ef-885d-901b0e934d69"> |
| 2 |
<topic>py-matrix-synapse -- multiple vulnerabilities in versions prior to 1.120.1</topic> |
195 |
<topic>py-matrix-synapse -- multiple vulnerabilities in versions prior to 1.120.1</topic> |
| 3 |
<affects> |
196 |
<affects> |