CVE-2023-2825
published 2023-05-26CVE-2023-2825: An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read…
PriorityP273high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
71.64%
99.3th percentile
An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab_ce | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/{{group1}}/{{group2}}/{{group3}}/{{group4}}/{{group5}}/{{group6}}/{{group7}}/{{group8}}/{{group9}}/{{group10}}/{{group11}}/CVE-2023-2825/uploads/{{upload-hash}}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd↗
- →Detect path traversal exploitation attempts by monitoring HTTP requests to GitLab upload paths containing URL-encoded traversal sequences (..%2F) targeting /etc/passwd or other sensitive files. ↗
- →Detect responses to GitLab upload path traversal requests by matching the hex signature for 'root:x' (726f6f743a78) in response bodies, indicating successful /etc/passwd read. ↗
- →Detect exploitation by looking for HTTP responses with Content-Type 'application/octet-stream' and 'etc%2Fpasswd' in the response headers on GitLab upload endpoints. ↗
- →Use the Shodan dork for the GitLab-specific CSS asset fingerprint to identify exposed GitLab 16.0.0 instances vulnerable to CVE-2023-2825. ↗
- →Monitor GitLab logs for rapid sequential creation of deeply nested groups (5–11 levels) followed by a project creation and file upload, which is the prerequisite attack setup pattern. ↗
- →Monitor for unauthenticated GET requests to GitLab /uploads/ paths that contain URL-encoded path traversal sequences (..%2F) as an indicator of CVE-2023-2825 exploitation attempts. ↗
- ·The vulnerability only affects GitLab CE/EE version 16.0.0 exactly; no other versions are impacted, making vulnerable instances rare in the wild. ↗
- ·Exploitation requires an attachment to exist in a public project nested within at least five groups; without this specific configuration, the vulnerability cannot be triggered. ↗
- ·The traversal depth is directly correlated to the nesting depth of groups (N+1 rule): to traverse N directories, the project must be nested within N+1 groups. ↗
- ·The Metasploit module (gitlab_authenticated_subgroups_file_read) requires authentication and the ability to create projects and groups, unlike the unauthenticated variant described in the CVE. ↗
- ·The vulnerable code path is in the retrieve_from_store() method introduced in /app/uploaders/object_storage.rb in version 16.0.0, which improperly sanitizes the @filename variable. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian10.0LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x4jh-5c6x-h92v: An issue has been discovered in GitLab CE/EE affecting only version 16
ghsa_unreviewed·2023-05-26
CVE-2023-2825 [HIGH] CWE-22 GHSA-x4jh-5c6x-h92v: An issue has been discovered in GitLab CE/EE affecting only version 16
An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.
OSV
CVE-2023-2825: An issue has been discovered in GitLab CE/EE affecting only version 16
osv·2023-05-26·CVSS 7.5
CVE-2023-2825 [HIGH] CVE-2023-2825: An issue has been discovered in GitLab CE/EE affecting only version 16
An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.
GitLab
CVE-2023-2825: An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability t
vendor_gitlab·2023-05-26·CVSS 10.0
CVE-2023-2825 [CRITICAL] CWE-22 CVE-2023-2825: An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability t
CVE-2023-2825: An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.
Debian
CVE-2023-2825: gitlab - An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An u...
vendor_debian·2023·CVSS 10.0
CVE-2023-2825 [CRITICAL] CVE-2023-2825: gitlab - An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An u...
An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.
Scope: local
sid: resolved
No detection rules found.
Metasploit
GitLab Authenticated File Read
metasploit
GitLab Authenticated File Read
GitLab Authenticated File Read
GitLab version 16.0 contains a directory traversal for arbitrary file read as the `gitlab-www` user. This module requires authentication for exploitation. In order to use this module, a user must be able to create a project and groups. When exploiting this vulnerability, there is a direct correlation between the traversal depth, and the depth of groups the vulnerable project is in. The minimum for this seems to be 5, but up to 11 have also been observed. An example of this, is if the directory traversal needs a depth of 11, a group and 10 nested child groups, each a sub of the previous, will be created (adding up to 11). Visually this looks like: Group1->sub1->sub2->sub3->sub4->sub5->sub6->sub7->sub8->sub9->sub10. If the depth was 5, a group and 4 nested chi
Nuclei
GitLab 16.0.0 - Path Traversal
nuclei·CVSS 7.5
CVE-2023-2825 [HIGH] GitLab 16.0.0 - Path Traversal
GitLab 16.0.0 - Path Traversal
An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups
Template:
id: CVE-2023-2825
info:
name: GitLab 16.0.0 - Path Traversal
author: DhiyaneshDk,rootxharsh,iamnoooob,pdresearch
severity: high
description: |
An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups
impact: |
Authenticated attackers can exploit path traversal vulnerabilities
Sentinelone
GitLab CVE-2023-2825: Unauthenticated Arbitrary File Read Vulnerability
blogs_sentinelone·2023-06-08·CVSS 10.0
CVE-2023-2825 [CRITICAL] GitLab CVE-2023-2825: Unauthenticated Arbitrary File Read Vulnerability
## Introduction to GitLab CVE-2023-2825
On May 23, 2023, GitLab unveiled version 16.0.1 to address a critical vulnerability named CVE-2023-2825 that was discovered in both the Community Edition (CE) and Enterprise Edition (EE) of GitLab version 16.0.0. A security researcher known as ‘pwnie’ discovered this GitLab CVE via HackerOne’s bug bounty program.
In this article, we delve into the specifics of CVE-2023-2825. This vulnerability, possessing a CVSS score of 7.5, enables an unauthenticated user to read arbitrary files on the server under certain conditions. We will guide you through the steps to exploit this GitLab CVE, highlighting its impact and the necessity of timely patching.
## Understanding the GitLab CVE
CVE-2023-2825, as described by GitLab’s advisory, is a path traversal is
Sentinelone
GitLab CVE-2023-2825: Unauthenticated Arbitrary File Read Vulnerability
blogs_sentinelone·2023-06-08·CVSS 10.0
CVE-2023-2825 [CRITICAL] GitLab CVE-2023-2825: Unauthenticated Arbitrary File Read Vulnerability
## Introduction to GitLab CVE-2023-2825
On May 23, 2023, GitLab unveiled version 16.0.1 to address a critical vulnerability named CVE-2023-2825 that was discovered in both the Community Edition (CE) and Enterprise Edition (EE) of GitLab version 16.0.0. A security researcher known as ‘pwnie’ discovered this GitLab CVE via HackerOne’s bug bounty program.
In this article, we delve into the specifics of CVE-2023-2825. This vulnerability, possessing a CVSS score of 7.5, enables an unauthenticated user to read arbitrary files on the server under certain conditions. We will guide you through the steps to exploit this GitLab CVE, highlighting its impact and the necessity of timely patching.
### Understanding the GitLab CVE
CVE-2023-2825, as described by GitLab’s advisory, is a path traversal i
Wiz
Crying Out Cloud - May Newsletter | Wiz
blogs_wiz·2023-06-06·CVSS 7.5
[HIGH] Crying Out Cloud - May Newsletter | Wiz
Over the last month, we've seen a couple of vulnerabilities pop up and some users have felt the impact of security incidents. We know you're busy too, so we've sifted through the noise to bring you the real game-changers, no fluff attached.
Without further ado, here are our handpicked cloud security highlights!
## ✨ Highlights
## RCE 0-day vulnerability in MOVEit Transfer exploited in the wild
On May 31, 2023, Progress published details of an RCE 0day vulnerability being exploited in-the-wild in MOVEit Transfer (CVE-2023-34362), a Windows-Server-based managed file transfer (MFT) service. Users are urgently advised to patch to the fixed version. While our own data shows MOVEit Transfer can be found in less than 1% of cloud environments, based on other reports, most publicly exposed inst
Sentinelone
CVE-2023-26360: A Critical Vulnerability in Adobe ColdFusion
blogs_sentinelone·2023-05-25·CVSS 8.6
CVE-2023-26360 [HIGH] CVE-2023-26360: A Critical Vulnerability in Adobe ColdFusion
On March 8, 2023, Adobe released security updates to address a critical vulnerability in Adobe ColdFusion. CVE-2023-26360 is an improper access control vulnerability that could allow an attacker to execute arbitrary code on a vulnerable system.
The vulnerability exists in how ColdFusion handles the deserialization of untrusted data. An attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable ColdFusion server. The request would contain untrusted data that ColdFusion could deserialize and execute as code.
The vulnerability is rated as critical because it does not require user interaction to be exploited. An attacker could exploit this vulnerability without any user interaction as there is no victim here.
## What is Adobe ColdFusion?
Adobe ColdFusi
https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2825.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/412371https://hackerone.com/reports/1994725https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2825.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/412371https://hackerone.com/reports/1994725
2023-05-26
Published