Information about a new critical vulnerability affecting Gitlab software has been disclosed. This vulnerability would allow a remote attacker to exploit a path traversal problem to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.
N+1 groups are needed to be able to scale N directories. In a default installation, 11 groups would be needed to reach the server root directory, as the uploaded files are stored in the following path:
Gitlab Inc. is an open source company and is the leading provider of GitLab software, a version control and DevOps web service based on Git.
CVE-2023-2825 main characteristics
The main characteristics of the CVE-2023-2825 vulnerability are detailed below:
- CVE identifier: CVE-2023-2825
- Published date: 05/26/2023
- Affected software: Gitlab CE/EE
- CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N (10 Critical)
- Affected versions
- Exploitation requirements
- Attachment in a public project nested within at least five groups.
- In order to reach the root directory of the server in a default installation, 11 nested groups must be present.
The main solution is to urgently update Gitlab to the new versions available that fix this vulnerability:
Gitlab Inc. has released an advisory with official information and possible updates regarding this vulnerability.
The presence of the vulnerability can be identified using the proof of concept described in the following repository:
This script creates 11 groups and a public repository. Then uploads a file and exploits the vulnerability to demonstrate the ability to obtain files from the server by displaying the contents of the /etc/passwd file.
As part of its emerging vulnerability service, Tarlogic proactively monitors its customers perimeter to report, detect and urgently notify the presence of this vulnerability, as well as other critical threats that could have a serious impact on the security of their assets.