This article discusses the security vulnerabilities found in Pagure, a software forge used in Fedora. The author discovered CVE-2024-47516, an argument injection vulnerability, along with three other vulnerabilities that allowed for remote code execution. By exploiting these bugs, the author was able to modify repositories and potentially change the source code of Fedora packages. The article highlights the technical details of the vulnerabilities, the impact they had, and the process of disclosing them to Pagure maintainers. Ultimately, Fedora decided to migrate to Forgejo due to security concerns, moving away from Pagure.
https://fenrisk.com/pagure