CVE-2023-2825: Critical vulnerability affects Gitlab
2023-5-30 15:21:53 Author: www.tarlogic.com(查看原文) 阅读量:25 收藏

Vulnerability CVE-2023-2825 affects GitLab software

Information about a new critical vulnerability affecting Gitlab software has been disclosed. This vulnerability would allow a remote attacker to exploit a path traversal problem to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.

N+1 groups are needed to be able to scale N directories. In a default installation, 11 groups would be needed to reach the server root directory, as the uploaded files are stored in the following path:

/var/opt/gitlab/gitlab-rails/uploads/@hashed/<a>/<b>/<secret>/<secret>/<file>

Gitlab Inc. is an open source company and is the leading provider of GitLab software, a version control and DevOps web service based on Git.

CVE-2023-2825 main characteristics

The main characteristics of the CVE-2023-2825 vulnerability are detailed below:

  • CVE identifier: CVE-2023-2825
  • Published date: 05/26/2023
  • Affected software: Gitlab CE/EE
  • CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N (10 Critical)
  • Affected versions
    • 16.0.0
  • Exploitation requirements
    • Attachment in a public project nested within at least five groups.
    • In order to reach the root directory of the server in a default installation, 11 nested groups must be present.

Mitigation

The main solution is to urgently update Gitlab to the new versions available that fix this vulnerability:

  • 16.0.1

Gitlab Inc. has released an advisory with official information and possible updates regarding this vulnerability.

Vulnerability detection

The presence of the vulnerability can be identified using the proof of concept described in the following repository:

https://github.com/Occamsec/CVE-2023-2825

This script creates 11 groups and a public repository. Then uploads a file and exploits the vulnerability to demonstrate the ability to obtain files from the server by displaying the contents of the /etc/passwd file.

As part of its emerging vulnerability service, Tarlogic proactively monitors its customers perimeter to report, detect and urgently notify the presence of this vulnerability, as well as other critical threats that could have a serious impact on the security of their assets.

References


文章来源: https://www.tarlogic.com/blog/cve-2023-2825/
如有侵权请联系:admin#unsafe.sh