A new critical vulnerability impacting GitLab Community Edition (CE) and Enterprise Edition (EE) 16.0.0, identified by the number CVE-2023-2825, obtains a CVSS score of 10. Stormshield Customer Security Lab team unveils Stormshield's protection offerings.

 

The contexte of the CVE-2023-2825

A new vulnerability bearing the number CVE-2023-2825 has been discovered in the following products:

  • GitLab Enterprise Edition v16.0.0 ;
  • GitLab Community Edition v16.0.0.

This vulnerability has a CVSS 3.1 score of 10, the highest possible. This flaw allows an attacker, remotely and without any authentication, to read any file on the server when a document is attached to a public project nested in five groups.

 

The technical details of the CVE-2023-2825

By attempting to access the attachment of a project included in five groups, and then adding a repetition of "..%2F" to the URL, it is possible to bypass the checks made to prevent this type of attack, and thus browse the contents of the server's disk running GitLab.

This makes it possible to retrieve server configuration data, such as the "etc/passwd" file, or even private keys.

 

Figure 1: Example of vulnerability exploitation

 

CVE-2023-2825 and Stormshield protections

Stormshield Network Security

The following generic IPS signature can already detect and block exploitation of the vulnerability:

  • http:80 -> Directory traversal

Confidence index of the protection offered by Stormshield

Confidence index of no false positives

Recommandations

We strongly recommend that you install Gitlab patch version 16.0.1, which is already available.

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Need more information about Stormshield protection? The Technical Support teams are at your disposal to help you. Contact them through the incident manager located in the MyStormshield private area. To access it, select the menu "Technical Support / Report an incident / Track an incident".
Stormshield's Threat Intelligence team has two primary missions: to study cyber threats to understand them and to continuously improve Stormshield product protections. All with the goal of contributing to the cybersecurity community's effort to address cyber threats.
About the author
Edouard Simpere Cyber Threat Intelligence Team Leader, Stormshield

With a strong appetite for dark humor, starred chefs' pastries and the Windows environment, Edouard is a cybersecurity buff, a real one. A living standard of internal mobility at Stormshield, he made his first, second and third steps around the Stormshield Endpoint Security Evolution product, as a developer, architect and technical leader. He then became head of the company's Threat Intelligence team, in charge of researching and maintaining the level of protection of all the company's products.