A new critical vulnerability impacting GitLab Community Edition (CE) and Enterprise Edition (EE) 16.0.0, identified by the number CVE-2023-2825, obtains a CVSS score of 10. Stormshield Customer Security Lab team unveils Stormshield's protection offerings.
The contexte of the CVE-2023-2825
A new vulnerability bearing the number CVE-2023-2825 has been discovered in the following products:
- GitLab Enterprise Edition v16.0.0 ;
- GitLab Community Edition v16.0.0.
This vulnerability has a CVSS 3.1 score of 10, the highest possible. This flaw allows an attacker, remotely and without any authentication, to read any file on the server when a document is attached to a public project nested in five groups.
The technical details of the CVE-2023-2825
By attempting to access the attachment of a project included in five groups, and then adding a repetition of "..%2F" to the URL, it is possible to bypass the checks made to prevent this type of attack, and thus browse the contents of the server's disk running GitLab.
This makes it possible to retrieve server configuration data, such as the "etc/passwd" file, or even private keys.
Figure 1: Example of vulnerability exploitation
CVE-2023-2825 and Stormshield protections
Stormshield Network Security
The following generic IPS signature can already detect and block exploitation of the vulnerability:
- http:80 -> Directory traversal
Confidence index of the protection offered by Stormshield
Confidence index of no false positives
We strongly recommend that you install Gitlab patch version 16.0.1, which is already available.