GitLab Critical Security Release 16.0.1 (CVE-2023-2825)

2 views
Skip to first unread message

Fleury, Terry

unread,
May 25, 2023, 3:16:13 PM5/25/23
to cv-an...@trustedci.org

CI Operators:

GitLab has released v16.0.1 [1] to address a critical security vulnerability. This affects both GitLab Community Edition (CE) and Enterprise Edition (EE), but only v16.0.0. The issue is tracked as CVE-2023-2825 [2] and has a CVSS v3 score of 10.0.

 

Impact:

An attacker could use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups. While the condition may be uncommon, the exploit is trivial to execute, and could lead to exposure of sensitive data.

 

Affected Software

GitLab v16.0.0

 

Recommendation:

If you are using GitLab v16.0.0, update to v16.0.1 [3] as soon as possible. There are no recommended mitigations.

 

References:

[1] https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/ 

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2825 

[3] https://about.gitlab.com/update 

 

How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.

 

Reply all
Reply to author
Forward
0 new messages