GitLab exposed to high-risk vulnerability

GitLab has released an emergency security update, version 16.0.1, to address a critical (CVSS v3.1 score: 10.0) path traversal vulnerability tracked as CVE-2023-2825.

GitLab is a web-based Git repository for development teams that need to manage their code remotely, and currently has about 30 million registered users and 1 million paying customers.

A security researcher named pwnie discovered the CVE-2023-2825 vulnerability and subsequently reported the issue in GitLab's HackOne vulnerability rewards program. The vulnerability is said to affect GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0, with almost all other earlier versions unaffected.

Vulnerability details

The vulnerability stems from a path traversal issue, which allows an unauthenticated attacker to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups. Exploitation of the CVE-2023-2825 vulnerability could also expose sensitive data including proprietary software code, user credentials, tokens, files, and other private information.

The above prerequisites suggest that the CVE-2023-2825 vulnerability issue is related to how GitLab manages or resolves the path of attached files nested in several levels of the group hierarchy. However, due to the critical nature of the issue and its timely discovery, GitLab did not disclose many details, but repeatedly stressed the importance of users using the latest security updates.

In its security advisory, GitLab stated that it strongly recommends upgrading to the latest version as soon as possible in all installations running versions affected by the CVE-2023-2825 vulnerability. When there is no mention of the specific deployment type of the product (omnibus, source code, helm chart, etc.), it means that all types are affected.

It's worth noting that the CVE-2023-2825 vulnerability can only be triggered under certain conditions, namely when there is an attachment nested in at least five groups in a public project, which, fortunately, is not a structure that all GitHub projects follow.

Nonetheless, GitHub recommends that all GitLab 16.0.0 users update to version 16.0.1 as soon as possible to reduce security risks.