Nexix Security Labs
GitLab Security Update: Patching a Critical Vulnerability (CVE-2023-2825)
GitLab addressed a critical vulnerability, denoted as CVE-2023-2825, by releasing version 16.0.1 on May 23, 2023. This vulnerability impacted both the Community Edition (CE) and Enterprise Edition (EE) version 16.0.0. The nature of this vulnerability enables unauthorized users to gain access to arbitrary files via a path traversal bug. The discovery of this vulnerability was credited to pwn ie, who identified it through GitLab's bug bounty program hosted on HackerOne.
Advisory by GitLab
A critical severity issue, denoted by (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N) with a score of 10.0, arises from a path traversal vulnerability. Exploiting this vulnerability allows an unauthenticated malicious user to gain unauthorized access to arbitrary files on the server. Specifically, this vulnerability is triggered when an attachment exists within a public project that is nested within a minimum of five groups. It is imperative to address this vulnerability promptly to prevent unauthorized access and potential compromise of sensitive data.
It has been found that only version 16.0.0 of GitLab CE/EE has a problem. If an attachment is present in a public project that is nested within at least five groups, a malicious user who is not authorised can exploit a path traversal vulnerability to access any files on the server.
File Upload & Path Traversal
When you attach a file to a GitLab issue, a request to POST - /:repo/upload is made. You may access the file by using the JSON response that is returned along with this command.
The URL for the file is /:repo/uploads/:id/:file, where :file is the actual file name. Any file path may be used for :file to have GitLab return the desired file. This file path is not sanitised by GitLab, which permits path traversal.
You must URL encode the '/' in the file path in order to effectively exploit this issue. This will be read by GitLab as a value and internally decoded. GitLab will interpret the '/' in the file path as part of the route if it is not encoded.
Encoding just the `/` was enough to bypass Nginx path errors.
How impactful is this vulnerability?
It goes without saying that being able to read local files as deep as the root of the server is critical. However, the conditions required for successful exploitation are unusual:
5-9 Nested Groups
A Public Project
Pragmatically, the likelihood of these conditions occurring naturally is minimal. Nonetheless, in the event that an attacker manages to register their own project, they could potentially engineer the necessary circumstances to facilitate the successful exploitation of the vulnerability.
In the default configuration of GitLab's community editions, new user registrations are allowed, but each registration requires administrative approval. However, it is important to note that administrative approvals can be disabled, potentially introducing additional risks. To mitigate such risks, administrators have alternative options at their disposal, such as implementing email domain validation. This approach enables administrators to enforce a level of risk mitigation by allowing only trusted users with validated email domains to make modifications within the environment.
The GitLab arbitrary file read vulnerability (CVE-2023-2825) demands immediate attention from organizations utilizing the platform. By understanding the intricacies of this vulnerability and the associated exploitation technique, users can take proactive measures to mitigate risks and secure their GitLab instances. Regular patching, continuous monitoring, and a collaborative approach to cybersecurity are crucial for defending against emerging threats. Let us remain vigilant and dedicated to safeguarding the integrity and confidentiality of GitLab deployments.
For more information visit us on: www.nexixsecuritylabs.com
To schedule an audit you can contact us at: email@example.com
Your Security | Our Concern