Multiple Critical Vulnerabilities in Pagure Lead to Remote Code Execution
Security researchers discovered multiple critical vulnerabilities in Pagure, the software forge used by Fedora, allowing for remote code execution (RCE). One vulnerability stemmed from an argument injection in the PagureRepo.log() function, enabling attackers to write to arbitrary files and execute arbitrary code. Other flaws included path traversal and improper handling of symbolic links. These vulnerabilities could be exploited to modify Fedora package specification files, potentially introducing malicious code. Attackers could even gain complete control of the Pagure server by overwriting the `/srv/git/.bashrc` file. Fedora has migrated to Forgejo to address this, but the vulnerabilities highlight critical issues in open-source software supply chain security.