{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-031.pdf"
    },
    "title": "GitLab - Critical Path Traversal Vulnerability",
    "serial_number": "2023-031",
    "publish_date": "25-05-2023 13:41:52",
    "description": "On May 23, 2023, GitLab released an emergency security update to urgently address a critical severity path traversal flaw - CVE-2023-2825 - with a CVSS v3.1 score of 10.0. This issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0, with older versions not being affected. The flaw allows an unauthenticated attacker to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.<br>\n",
    "url_title": "2023-031",
    "content_markdown": "---\ntitle: 'GitLab -- Critical Path\u00a0Traversal\u00a0Vulnerability'\nversion: '1.0'\nnumber: '2023-031'\noriginal_date: 'May 23, 2023'\ndate: 'May 25, 2023'\n---\n\n_History:_\n\n* _25/05/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn May 23, 2023, GitLab released an emergency security update to urgently address a critical severity path traversal flaw -- **CVE-2023-2825** -- with a CVSS v3.1 score of **10.0**. This issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0, with older versions not being affected. The flaw allows an unauthenticated attacker to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups [1,2].\n\n# Technical Details\n\nThe critical path traversal flaw was discovered by a security researcher known as _pwnie_. The flaw arises from a problem in the way GitLab manages or resolves paths for attached files nested within several levels of group hierarchy. It can be exploited by an unauthenticated attacker to read arbitrary files on the server, thereby potentially exposing sensitive data, including proprietary software code, user credentials, tokens, files, and other private information. \n\nThe vulnerability can only be triggered under specific conditions, i.e., when there's an attachment in a public project nested within at least five groups [1,2].\n\n# Products Affected\n\nThe issue affects GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0.\n\nThe older versions are not affected by this vulnerability. \n\n# Recommendations\n\nCERT-EU strongly recommends that all installations running GitLab CE/EE version 16.0.0 be upgraded to version 16.0.1.\n\n# References\n\n[1] <https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/>\n\n[2] <https://www.bleepingcomputer.com/news/security/gitlab-strongly-recommends-patching-max-severity-flaw-asap/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>25/05/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On May 23, 2023, GitLab released an emergency security update to urgently address a critical severity path traversal flaw -- <strong>CVE-2023-2825</strong> -- with a CVSS v3.1 score of <strong>10.0</strong>. This issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0, with older versions not being affected. The flaw allows an unauthenticated attacker to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups [1,2].</p><h2 id=\"technical-details\">Technical Details</h2><p>The critical path traversal flaw was discovered by a security researcher known as <em>pwnie</em>. The flaw arises from a problem in the way GitLab manages or resolves paths for attached files nested within several levels of group hierarchy. It can be exploited by an unauthenticated attacker to read arbitrary files on the server, thereby potentially exposing sensitive data, including proprietary software code, user credentials, tokens, files, and other private information. </p><p>The vulnerability can only be triggered under specific conditions, i.e., when there's an attachment in a public project nested within at least five groups [1,2].</p><h2 id=\"products-affected\">Products Affected</h2><p>The issue affects GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0.</p><p>The older versions are not affected by this vulnerability. </p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends that all installations running GitLab CE/EE version 16.0.0 be upgraded to version 16.0.1.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/\">https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/gitlab-strongly-recommends-patching-max-severity-flaw-asap/\">https://www.bleepingcomputer.com/news/security/gitlab-strongly-recommends-patching-max-severity-flaw-asap/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}