GitLab has released an emergency security update, version 16.0.1, to address a maximum severity (CVSS v3.1 score: 10.0) path traversal flaw tracked as CVE-2023-2825.
GitLab is a web-based Git repository for developer teams that need to manage their code remotely and has approximately 30 million registered users and one million paying customers.
The vulnerability addressed in the latest update was discovered by a security researcher named ‘pwnie,’ who reported the issue on the project’s HackOne bug bounty program.
It impacts GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0, but all versions older than this aren’t affected.
The flaw arises from a path traversal problem that allows an unauthenticated attacker to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.
The exploitation of CVE-2023-2825 could expose sensitive data, including proprietary software code, user credentials, tokens, files, and other private information.
This prerequisite suggests that the issue relates to how GitLab manages or resolves paths for attached files nested within several levels of group hierarchy. However, due to the criticality of the problem and the freshness of its discovery, not many details were disclosed by the vendor this time.
Instead, GitLab highlighted the importance of applying the latest security update without delay.
“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” reads GitLab’s security bulletin.
“When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.”
A mitigating factor is that the vulnerability can only be triggered under specific conditions, i.e., when there’s an attachment in a public project nested within at least five groups, which is not the structure followed in all GitHub projects.
Nevertheless, all users of GitLab 16.0.0 are recommended to update to version 16.0.1 as soon as possible to mitigate the risk. Unfortunately, no workarounds are available at this time.
To update your GitLab installation, follow the instructions on the project’s update page. For GitLab Runner updates, check out this guide.