GitLab reports max severity flaw - patch ASAP
Take action: A critical issue in Gitlab. Everyone should patch immediately. Don't burn your time in empty debates whether "this can happen to us, it's too specific". It will.
Learn More
GitLab strongly advises immediately applying the patch to address a critical vulnerability of maximum severity.
The flaw, identified as CVE-2023-2825 and scored 10.0 on the CVSS v3.1 scale, is fixed in an emergency security update, version 16.0.1. This vulnerability affects GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0, while earlier versions remain unaffected.
The vulnerability is attributed to a path traversal issue, permitting unauthorized access to arbitrary files on the server in cases where an attachment exists within a public project nested in a minimum of five groups. Exploiting CVE-2023-2825 can result in the exposure of sensitive data such as proprietary software code, user credentials, tokens, files, and other confidential information.
GitLab emphasizes the importance of promptly updating to the latest version to address this security concern. The vendor's security bulletin explicitly states, "We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible."
This recommendation applies to all deployment types of GitLab products.
The vulnerability requires specific conditions to be triggered, namely the presence of an attachment in a public project nested within at least five groups, which is not a common structure for all GitHub projects. Nevertheless all users of GitLab 16.0.0 are advised to update to version 16.0.1 promptly to mitigate any potential risks. No workarounds are currently available.
