GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects.
Recent assessments:
wvu-r7 at June 09, 2020 10:49pm UTC reported:
@zeroSteiner pointed us to this exploit chain today: <https://twitter.com/CasvCooten/status/1270374273849401346>. It uses CVE-2020-10535 to satisfy the authentication requirement. Note that <https://hackerone.com/reports/827052> already explains the path to RCE. We actually already have a Rails secret deserialization exploit, so βweaponizingβ the exploit chain is possible.@adfoster-r7 has pointed out that GitLab requires a signed cookie, so this module will not work.
ericalexanderorg at May 15, 2020 6:13pm UTC reported:
@zeroSteiner pointed us to this exploit chain today: <https://twitter.com/CasvCooten/status/1270374273849401346>. It uses CVE-2020-10535 to satisfy the authentication requirement. Note that <https://hackerone.com/reports/827052> already explains the path to RCE. We actually already have a Rails secret deserialization exploit, so βweaponizingβ the exploit chain is possible.@adfoster-r7 has pointed out that GitLab requires a signed cookie, so this module will not work.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 4
packetstormsecurity.com/files/160441/GitLab-File-Read-Remote-Code-Execution.html
about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released
about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/
about.gitlab.com/releases/categories/releases
about.gitlab.com/releases/categories/releases/
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10977