CVE-2020-10953
📋 TL;DR
This vulnerability in GitLab EE allows attackers to perform path traversal attacks through the NPM feature, potentially accessing files outside the intended directory. It affects GitLab EE versions 11.7 through 12.9. Organizations using these versions with NPM package registry enabled are at risk.
💻 Affected Systems
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive files like configuration files, source code, or credentials stored on the GitLab server, potentially leading to complete system compromise.
Likely Case
Unauthorized access to internal files, potentially exposing sensitive configuration data or source code repositories.
If Mitigated
Limited impact with proper network segmentation and access controls, potentially only exposing non-sensitive files.
🎯 Exploit Status
Exploitation requires access to the NPM registry feature. The vulnerability is well-documented in the security advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.9.1 and later
Vendor Advisory: https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab EE 12.9.1 or later using your package manager. 3. Run 'gitlab-ctl reconfigure'. 4. Restart GitLab services.
🔧 Temporary Workarounds
Disable NPM Registry
linuxTemporarily disable the NPM package registry feature to prevent exploitation
Edit /etc/gitlab/gitlab.rb
Set 'gitlab_rails["packages_enabled"] = false'
Run 'gitlab-ctl reconfigure'
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the GitLab NPM registry
- Enable detailed logging and monitoring for NPM registry access patterns
🔍 How to Verify
Check if Vulnerable:
Check GitLab version: if running EE 11.7-12.9 with NPM registry enabled, you are vulnerable.Check Version:
sudo gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
Verify version is 12.9.1 or later and test NPM registry functionality for path traversal attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual NPM package requests with '../' patterns
- Failed path traversal attempts in application logs
Network Indicators:
- Multiple failed NPM package download attempts
- Unusual patterns in NPM registry API calls
SIEM Query:
source="gitlab" AND ("npm" OR "package") AND ("..\/" OR "%2e%2e%2f")