GitLab, a popular web-based Git repository for developers, recently experienced a critical security flaw identified as CVE-2023-2825. This vulnerability was discovered and promptly reported by a security researcher named “pwnie” during a bug bounty campaign on HackOne. The researcher demonstrated the Proof-of-Concept (PoC) as a functioning exploit, targeting the system. Given the severity of this flaw, immediate action was taken, and a patch was released the following day.
The identified flaw enables an unauthenticated attacker to read arbitrary files on the system. This can be achieved when an attachment exists within a public project nested within five groups. When a file is uploaded to the Git repository, the system returns a URL indicating the file’s location path to the user. By utilizing this URL and employing techniques such as local file inclusion enumeration and fuzzing, it was discovered that the repository lacks proper input sanitization. Consequently, this flaw exposes highly sensitive data, including user tokens, files, credentials, and other critical information.
To successfully exploit this vulnerability, it is necessary for the uploaded file to be included within several levels of the group hierarchy. Therefore, it can be concluded that the flaw lies in the path resolution and management mechanism employed by GitLab. However, detailed information regarding the attack is limited due to its recent discovery. Notably, versions prior to 16.0.0 are confirmed to be unaffected by this flaw.
GitLab responded promptly to address this security concern and released a patch, version 16.0.1, as a remediation measure. They strongly advise all users to update their installations without delay. Currently, no alternative workarounds have been identified.
My take: kudos to the HackOne researcher for finding this vulnerability! Their discovery not only shed light on the flaw but also provided a detailed Proof-of-Concept (PoC), facilitating a comprehensive understanding of the attack. Furthermore, the PoC highlights the input sanitization oversight within GitLab, emphasizing the need for meticulous software maintenance, particularly in Git repositories. Given the potential information exposure associated with such attacks, it is imperative for cybersecurity professionals to prioritize regular updates and remain vigilant against Advanced Persistent Threats (APTs).