Detections
Analytics

FreeBSD : forgejo -- The scope of application tokens was not verified when writing containers or Conan packages. (eb437e17-66a1-11ef-ac08-75165d18d8d2)

high Nessus Plugin ID 206413

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the eb437e17-66a1-11ef-ac08-75165d18d8d2 advisory.

 The forgejo team reports:
 The scope of application tokens was not verified when writing containers or Conan packages. This is of no consequence when the user associated with the application token does not have write access to packages. If the user has write access to packages, such a token can be used to write containers and Conan packages. An application token that was used to write containers or Conan packages without the package:write scope will now fail with an unauthorized error. It must be re-created to include the package:write scope.

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://codeberg.org/forgejo/forgejo/pulls/5149

http://www.nessus.org/u?b75ac477

Plugin Details

Severity: High

ID: 206413

File Name: freebsd_pkg_eb437e1766a111efac0875165d18d8d2.nasl

Version: 1.1

Type: local

Published: 8/31/2024

Updated: 8/31/2024

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/o:freebsd:freebsd, p-cpe:/a:freebsd:freebsd:forgejo

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 8/30/2024

Vulnerability Publication Date: 8/26/2024