GitLab developers have released an urgent security update (version 16.0.1) to address a critical issue that scored 10 out of 10 on the Common Vulnerability Scoring System (CVSS) vulnerability rating scale. Exploitation of CVE-2023-2825 may result in the disclosure of sensitive data, including proprietary software code, user credentials, tokens, and files.
The vulnerability was discovered by security researcher pwnie, who reported the issue through a bug bounty program hosted on HackerOne.
The issue is reported to affect GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0, but does not affect older versions. The vulnerability is of the path traversal type and allows an unauthenticated attacker to read arbitrary files on the server if there is an attachment in a public project nested in at least five groups.
It appears that the vulnerability is related to the way GitLab manages or resolves paths for nested files nested in several levels of the group hierarchy. However, the vulnerability can only be activated under certain conditions (embedding in a public project nested in at least five groups), which are not used in all GitLab projects.
GitLab developers have emphasized the severity of the vulnerability and urge users to apply the latest update to version 16.0.1 immediately. Further details about the bug will not be published until 30 days have passed since the release of the patch.
