CVE-2020-26405
📋 TL;DR
This path traversal vulnerability in GitLab's package upload functionality allows authenticated attackers to save packages to arbitrary locations on the server filesystem. Affects GitLab Community Edition and Enterprise Edition installations running vulnerable versions. Attackers need at least developer-level permissions to exploit this vulnerability.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Attackers could overwrite critical system files, execute arbitrary code, or achieve remote code execution by uploading malicious packages to sensitive locations.
Likely Case
Attackers could upload malicious packages to unexpected locations, potentially leading to privilege escalation, data manipulation, or persistence mechanisms.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized package storage in non-critical directories.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. Public exploit details available in HackerOne report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.3.9, 13.4.5, or 13.5.2
Vendor Advisory: https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26405.json
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 13.3.9, 13.4.5, or 13.5.2 depending on your current version. 3. Restart GitLab services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Package Upload Permissions
allTemporarily restrict package upload functionality to trusted administrators only
# Configure GitLab to restrict package registry permissions
# Edit gitlab.rb: package_registry_enabled: false or restrict via project settings
🧯 If You Can't Patch
- Implement strict access controls to limit package upload permissions to minimal required users
- Monitor package upload logs for suspicious path traversal patterns and implement file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via admin panel or command: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Verify version is 13.3.9, 13.4.5, 13.5.2 or higher and test package upload with path traversal attempts📡 Detection & Monitoring
Log Indicators:
- Unusual package upload paths containing '../' sequences
- Package uploads to non-standard directories
- Failed package upload attempts with path traversal patterns
Network Indicators:
- HTTP POST requests to /api/v4/projects/*/packages/* with path traversal in payload
SIEM Query:
source="gitlab" AND ("package_upload" OR "/api/v4/projects") AND (".." OR "%2e%2e" OR path_traversal)🔗 References
- https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26405.json
- https://gitlab.com/gitlab-org/gitlab/-/issues/247371
- https://hackerone.com/reports/835427
- https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26405.json
- https://gitlab.com/gitlab-org/gitlab/-/issues/247371
- https://hackerone.com/reports/835427
