GitLab Critical Security Release 16.0.1 (CVE-2023-2825)

[Fleury, Terry]

CI Operators:

GitLab has released v16.0.1 [1] to address a critical security vulnerability. This affects both GitLab Community Edition (CE) and Enterprise Edition (EE), but only v16.0.0. The issue is tracked as CVE-2023-2825 [2] and has a CVSS v3 score of 10.0.

 

Impact:

An attacker could use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups. While the condition may be uncommon, the exploit is trivial to execute, and could lead to exposure of sensitive data.

 

Affected Software: 

GitLab v16.0.0

 

Recommendation:

If you are using GitLab v16.0.0, update to v16.0.1 [3] as soon as possible. There are no recommended mitigations.

 

References:

[1] https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/ 

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2825 

[3] https://about.gitlab.com/update 

 

How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.