- From 15.0.2 changelog:
- PR: fix: prevent git write to wiki repo from unauthorized user via git HTTP
- PR: fix: prevent LFS authorization token from being used for read/write access after user's access is restricted from Forgejo
- PR: fix: prevent scoped API access (OAuth tokens, Access tokens) from accessing resources beyond their permitted scope via non-API endpoints (e.g. /user/repo/raw/...)
- PR: fix: implementing missing OAuth validation checks, improve protections against race conditions
- PR: fix: prevent OAuth redirect URI spoofing via non-ascii case collision
- PR: fix: strengthen Actions Artifact V4 signature algorithm against spoofing attacks
- From 15.0.1 changelog:
- PR: When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents. It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch. Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability. By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository. The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.
- From 15.0.0 changelog:
- PR: use
keyingfor webhook secrets
- PR: use
- From 14.0.5 changelog:
- PR: When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents. It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch. Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability. By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository. The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.
- From 14.0.4 changelog:
- PR: Update dependency go to v1.25.9 (v14.0/forgejo)
- From 14.0.3 changelog.
- PR: fix: PKCE challenges to Forgejo's OAuth identity provider were not validated when using the
S256algorithm - PR: fix: Forgejo supports using an OAuth Bearer token with HTTP basic authentication, rather than Bearer token authentication, but did not properly apply the limited scopes of the OAuth grant
- PR: fix: missing permission checks in attachment-related web endpoints allowed modifying attachments that a user did not own
- PR: fix: email notifications for new releases could be sent to users that no longer access to the repository, or to inactive users
- PR: fix: missing permission checks in user/org-owned projects would allow modifications of the open/closed state to be made to projects via insecure direct object references
- PR: fix: missing permission checks in a web endpoint allowed cancellation of the automerge of a PR
- PR: fix: prevent additional path-traversals in post-login redirect parameters that allowed for arbitrary redirects
- PR: fix: PKCE challenges to Forgejo's OAuth identity provider were not validated when using the
See also: 39 open security issues