GitLab has released an emergency security update, version 16.0.1, to address a maximum severity path traversal flaw (CVSS v3.1 score: 10.0) tracked as CVE-2023-2825.
GitLab is a web-based Git repository for teams of developers who need to manage their code remotely and has approximately 30 million registered users and one million paying customers.
The vulnerability fixed in the latest update was discovered by a security researcher named ‘grandson‘, which reported the issue on the project’s HackOne bug bounty program.
This affects GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0, but all versions prior to this are unaffected.
The flaw stems from a path traversal issue that allows an unauthenticated attacker to read arbitrary files on the server when an attachment exists in a public project nested in five or more groups.
The operation of CVE-2023-2825 could expose sensitive data, including proprietary software code, user credentials, tokens, files, and other private information.
This prerequisite suggests that the issue is how GitLab handles or resolves nested attachment file paths in multiple levels of group hierarchy. However, due to the criticality of the issue and the freshness of its discovery, few details were disclosed by the vendor this time.
Instead, GitLab emphasized the importance of applying the latest security update without delay.
“We strongly recommend that all installations running a version affected by the issues described below be upgraded to the latest version as soon as possible,” it reads. GitLab Security Bulletin.
“When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.”
A mitigating factor is that the vulnerability can only be triggered under specific conditions, i.e. when there is an attachment in a public project nested in at least five groups, which is not the structure Tracked across all GitHub projects.
Nevertheless, it is recommended that all GitLab 16.0.0 users update to 16.0.1 as soon as possible to mitigate the risk. Unfortunately, no workaround is available at this time.