Forgejo Arbitrary File Write Vulnerability Leading to Potential Remote Shell Access

A vulnerability in Forgejo versions prior to 13.0.2 allows authenticated users to write to unintended files and possibly gain remote shell access on the server. This issue arises from improper handling of symlinks in template repositories, which can be exploited to corrupt files on the server or, under certain conditions, execute arbitrary commands via a remote shell. The vulnerability is present in Forgejo versions 11.0.7 and earlier, as well as in the 13.0.0 release.

Impact

Exploitation of this vulnerability can lead to unauthorized file modifications on the server, potential corruption of server files, and in specific configurations, remote shell access to the Forgejo server.

Reproduction

To reproduce this vulnerability, create a template repository that includes a symlink to a file outside the repository. When a new repository is created from this template, Forgejo will follow the symlink and write to the external file location. If the server's SSH access is configured to allow commands to be executed (by managing an 'authorized_keys' file), this can be exploited to gain remote shell access.

Remediation

Users can upgrade to Forgejo version 13.0.2 or 11.0.7 to address this vulnerability.