CVE-2023-2825 – CVE-2023-2825 is a critical path traversal vuln... (How to Fix)

Q: What is the severity of CVE-2023-2825?

CVE-2023-2825 has a CVSS score of 10.0 (CRITICAL). CVE-2023-2825 is a critical path traversal vulnerability in GitLab CE/EE version 16.0.0 that allows unauthenticated attackers to read arbitrary files on the server. This affects GitLab instances with public projects containing attachments nested within at least five groups. The vulnerability enables unauthorized access to sensitive server files.

📋 TL;DR

CVE-2023-2825 is a critical path traversal vulnerability in GitLab CE/EE version 16.0.0 that allows unauthenticated attackers to read arbitrary files on the server. This affects GitLab instances with public projects containing attachments nested within at least five groups. The vulnerability enables unauthorized access to sensitive server files.

💻 Affected Systems

Products:

GitLab Community Edition
GitLab Enterprise Edition

Versions: Only version 16.0.0

Operating Systems: All operating systems running GitLab

Default Config Vulnerable: ⚠️ Yes

Notes: Requires a public project with attachments nested within at least five groups. Private projects or different nesting levels are not affected.

📦 What is this software?

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive configuration files, SSH keys, database credentials, or other critical system files leading to data breach and system takeover.

🟠

Likely Case

Exfiltration of sensitive configuration data, source code, credentials, or other files from the GitLab server, potentially enabling further attacks.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to vulnerable instances.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation allows external attackers to access sensitive files without any credentials.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but authenticated access might provide similar capabilities through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.0.1 and later versions

Vendor Advisory: https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2825.json

Restart Required: Yes

Instructions:

1. Backup your GitLab instance. 2. Update GitLab to version 16.0.1 or later using your package manager. 3. Restart GitLab services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable public project attachments

all

Remove attachments from public projects or make affected projects private to prevent exploitation.

Network access restriction

linux

Restrict network access to GitLab instance using firewall rules to limit exposure.

iptables -A INPUT -p tcp --dport 80,443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80,443 -j DROP

🧯 If You Can't Patch

Immediately make all public projects with attachments private or remove attachments
Implement strict network segmentation and firewall rules to limit access to GitLab instance

🔍 How to Verify

Check if Vulnerable:

Check GitLab version: if running 16.0.0 and has public projects with attachments nested 5+ groups, it's vulnerable.

Check Version:

sudo gitlab-rake gitlab:env:info | grep 'GitLab version'

Verify Fix Applied:

Verify GitLab version is 16.0.1 or later and test that path traversal attempts no longer succeed.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in GitLab logs
Multiple failed path traversal attempts
Access to attachment endpoints with unusual parameters

Network Indicators:

Unusual HTTP requests to attachment endpoints with path traversal patterns
External IPs accessing sensitive file paths

SIEM Query:

source="gitlab.log" AND ("path traversal" OR "../" OR "..\" OR "attachment" AND "public")

📊 Metadata

CVE ID: CVE-2023-2825

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-22

Published: May 26, 2023

Last Updated: January 15, 2025

🔗 References

https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2825.json Third Party Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/412371 Broken Link
https://hackerone.com/reports/1994725 Permissions Required,Third Party Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2825.json Third Party Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/412371 Broken Link
https://hackerone.com/reports/1994725 Permissions Required,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2825, you might also want to check these: