cbcvebase.
CVE-2023-2825
published 2023-05-26

CVE-2023-2825: An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read…

PriorityP273high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
71.64%
99.3th percentile
An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.

Affected

4 ranges
VendorProductVersion rangeFixed in
debiangitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab_ce

Detection & IOCsextracted from sources · hover to see the quote

path/app/uploaders/object_storage.rb
path/app/controllers/concerns/uploads_actions.rb
url/{{group1}}/{{group2}}/{{group3}}/{{group4}}/{{group5}}/{{group6}}/{{group7}}/{{group8}}/{{group9}}/{{group10}}/{{group11}}/CVE-2023-2825/uploads/{{upload-hash}}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
url/a/b/c/d/e/f/g/proj
  • Detect path traversal exploitation attempts by monitoring HTTP requests to GitLab upload paths containing URL-encoded traversal sequences (..%2F) targeting /etc/passwd or other sensitive files.
  • Detect responses to GitLab upload path traversal requests by matching the hex signature for 'root:x' (726f6f743a78) in response bodies, indicating successful /etc/passwd read.
  • Detect exploitation by looking for HTTP responses with Content-Type 'application/octet-stream' and 'etc%2Fpasswd' in the response headers on GitLab upload endpoints.
  • Use the Shodan dork for the GitLab-specific CSS asset fingerprint to identify exposed GitLab 16.0.0 instances vulnerable to CVE-2023-2825.
  • Monitor GitLab logs for rapid sequential creation of deeply nested groups (5–11 levels) followed by a project creation and file upload, which is the prerequisite attack setup pattern.
  • Monitor for unauthenticated GET requests to GitLab /uploads/ paths that contain URL-encoded path traversal sequences (..%2F) as an indicator of CVE-2023-2825 exploitation attempts.
  • ·The vulnerability only affects GitLab CE/EE version 16.0.0 exactly; no other versions are impacted, making vulnerable instances rare in the wild.
  • ·Exploitation requires an attachment to exist in a public project nested within at least five groups; without this specific configuration, the vulnerability cannot be triggered.
  • ·The traversal depth is directly correlated to the nesting depth of groups (N+1 rule): to traverse N directories, the project must be nested within N+1 groups.
  • ·The Metasploit module (gitlab_authenticated_subgroups_file_read) requires authentication and the ability to create projects and groups, unlike the unauthenticated variant described in the CVE.
  • ·The vulnerable code path is in the retrieve_from_store() method introduced in /app/uploaders/object_storage.rb in version 16.0.0, which improperly sanitizes the @filename variable.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian10.0LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.