Today Forgejo v1.20.5-0 was released.
This release contains an important security fix that adds protection to prevent a malicious actor from impersonating Forgejo users by using a copy of the database, as described below.
This release also contains bug fixes, as detailed in the release notes.
We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.
When a user logs into Forgejo, they can click the Remember This Device checkbox and their browser will store a Long-term authentication token provided by the server, in a cookie that will allow them to stay logged in for a number of days as defined by the
Given a copy of the Forgejo database, a Long-term authentication token can be constructed for any user and used to impersonate them. Such a token does not expire
LOGIN_REMEMBER_DAYS days after it was created and remains valid for as long as users do not change their password.
The construction of such a token does not involve any kind of brute-force or cracking, it only requires the values as stored literally in the database.
The former implementation was inherently insecure, because it allowed the Long-term authentication token to be constructed from the database alone. It is reworked to require additional information from the user cookie. The idea is derived from a 2015 blog post where it is explained in more detail.
On 6 July 2023 the Forgejo security team notified the Gitea security team that the mechanism responsible for long-term authentication (the ‘remember me’ cookie) uses a weak construction technique. A possible solution was suggested together with a more detailed explanation. We requested a 90 days embargo, after which a patch to the v1.20 point release could be published.
If you have any feedback or suggestions for Forgejo, we’d love to hear from you! Open an issue on our issue tracker for feature requests or bug reports. You can also find us on the Fediverse, or drop by our Matrix space (main chat room) to say hi!