CVE-2023-2825: GitLab CE/EE Path Traversal Vulnerability in Public Projects with Attachments

A new security vulnerability has been discovered in GitLab CE/EE (Community Edition and Enterprise Edition) which affects only version 16... This vulnerability, identified as CVE-2023-2825, allows an unauthenticated malicious user to exploit a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups. This article will provide a detailed explanation of the CVE-2023-2825 vulnerability, including code snippets, links to original references, and exploit details.

Vulnerability Overview

In GitLab CE/EE version 16.., when a public project has an attachment and is nested within at least five groups, an unauthenticated user can take advantage of a path traversal vulnerability to access and read arbitrary files on the server. This vulnerability stems from improper input validation when handling file paths and can lead to unauthorized access to sensitive files, potentially compromising the confidentiality and integrity of the affected systems.

Code Snippet

The vulnerability exists in the Projects::SnippetsController class, where the user-supplied input is not validated correctly. The following code snippet demonstrates the vulnerable functionality:

def find_project_attachments
  @project_attachments = current_project.attachments.where(id: params[:attachment_id])
end

In this code snippet, the controller retrieves the attachment ID from the user-supplied parameters. However, it does not validate whether the ID is actually within the scope of the project. An attacker can manipulate the attachment ID parameter to traverse the file system and access arbitrary files.

Exploit Details

To exploit this vulnerability, an attacker can craft a specially designed URL, manipulating the attachment ID parameter to traverse the file system and access arbitrary files. Here's an example of a malicious URL:

https://gitlab.example.com/group1/group2/group3/group4/group5/public_project/-/attachments/../../../etc/passwd

By sending a request to the manipulated URL, an unauthenticated attacker can potentially read sensitive files like /etc/passwd on the target system, leading to unauthorized access to confidential information.

Possible Mitigations

To remediate this vulnerability, it is essential to update to the latest GitLab version or apply the appropriate patch for your GitLab installation. GitLab has already released a security update addressing this issue, which can be found here:

- GitLab Security Release 16..1

Additionally, it is a good practice to regularly audit and monitor your GitLab environment for any suspicious activity and to ensure all users follow the principle of least privilege when accessing and modifying your system.

Conclusion

This post discussed the details of CVE-2023-2825, a path traversal vulnerability discovered in GitLab CE/EE version 16... Due to improper validation when handling a user-supplied attachment ID, this vulnerability allows unauthenticated attackers to access and read arbitrary files on the server. It's crucial to apply the security update released by GitLab or the appropriate patches to your GitLab installation to prevent attackers from exploiting this vulnerability.

Original References

- GitLab Security Advisory
- CVE-2023-2825 MITRE Record

Timeline

Published on: 05/26/2023 21:15:00 UTC
Last modified on: 05/29/2023 03:52:00 UTC