Gitlab version 13.10.2 authenticated remote code execution exploit.
fdd3bf5424a5516bb5299cd43e4d54baa10324040cc743962df9d063321ddcab
This script exploits the issue noted in CVE-2024-45409 that allows an unauthenticated attacker with access to any signed SAML document issued by the IDP to forge a SAML Response/Assertion and gain access as any user on GitLab. Ruby-SAML versions below or equal to 12.2 and versions 1.13.0 through 1.16.0 do not properly verify the signature of the SAML Response.
d08713f2b53b8375bee1c935a8aa40df427334d91a9660f64086fe0c225c0c55
The GitLab internal API is exposed unauthenticated on GitLab. This allows the username for each SSH Key ID number to be retrieved. Users who do not have an SSH Key cannot be enumerated in this fashion. LDAP users, e.g. Active Directory users will also be returned. This issue was fixed in GitLab v7.5.0 and is present from GitLab v5.0.0.
71630cfcfed3904689a0ba6bbbfad435b4547e989b51038e7a14ced61cb53df9
This Metasploit module queries the GitLab GraphQL API without authentication to acquire the list of GitLab users (CVE-2021-4191). The module works on all GitLab versions from 13.0 up to 14.8.2, 14.7.4, and 14.6.5.
37361393f26eabdc1c128ac8137d1d761bdfdcc8e7201453e7e793df6a7c3a27
This Metasploit module exploits an account-take-over vulnerability that allows users to take control of a gitlab account without user interaction. The vulnerability lies in the password reset functionality. Its possible to provide 2 emails and the reset code will be sent to both. It is therefore possible to provide the e-mail address of the target account as well as that of one we control, and to reset the password. 2-factor authentication prevents this vulnerability from being exploitable. There is no discernable difference between a vulnerable and non-vulnerable server response. Vulnerable versions include: 16.1 < 16.1.6, 16.2 < 16.2.9, 16.3 < 16.3.7, 16.4 < 16.4.5, 16.5 < 16.5.6, 16.6 < 16.6.4, and 16.7 < 16.7.2.
2a079a5ea68c49929249db07a48797389f6a5b63a1ad6670bced19ea343c8ecf
An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It is possible to read the user email address via tags feed although the visibility in the user profile has been disabled.
62ce2c8280f3e5fc62225b1364f2a471b91cf622a571b2b9ffbd1a00a324ba26
GitLab version 16.0 contains a directory traversal for arbitrary file read as the gitlab-www user. This Metasploit module requires authentication for exploitation. In order to use this module, a user must be able to create a project and groups. When exploiting this vulnerability, there is a direct correlation between the traversal depth, and the depth of groups the vulnerable project is in. The minimum for this seems to be 5, but up to 11 have also been observed. An example of this, is if the directory traversal needs a depth of 11, a group and 10 nested child groups, each a sub of the previous, will be created (adding up to 11). Visually this looks like: Group1->sub1->sub2->sub3->sub4->sub5->sub6->sub7->sub8->sub9->sub10. If the depth was 5, a group and 4 nested child groups would be created. With all these requirements satisfied a dummy file is uploaded, and the full traversal is then executed. Cleanup is performed by deleting the first group which cascades to deleting all other objects created.
69b07b1cbc660e9b657d46058136f20875b62aea95d13f5799d7b0fd27caa958
GitLab CE/EE versions prior to 16.7.2 suffer from a password reset vulnerability.
ecc61996fa0e38b05ac70ce2080679b2eaf36720822b04f8d38867b1d69456b3
GitLab version 15.3 suffers from a remote code execution vulnerability.
6b39aa9dd2e2a7bec60b18975a9f1d8372e350f6d1ff923d82041ba07d234f5c
An authenticated user can import a repository from GitHub into GitLab. If a user attempts to import a repo from an attacker-controlled server, the server will reply with a Redis serialization protocol object in the nested default_branch. GitLab will cache this object and then deserialize it when trying to load a user session, resulting in remote code execution.
01b86153e9b59cbce82f32a07b24098f2267f0bddf0bec3fcf3243c9d0b7d820
Gitlab versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.7 prior to 14.7.7 suffer from a persistent cross site scripting vulnerability.
8cb78a3472e539403d6d39fd3ad3b5fdeb25087820f659a117ceeeb4ad1a58b6
Gitlab versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.7 prior to 14.7.7 suffer from a bypass vulnerability due to having set a hardcoded password for accounts registered using an OmniAuth provider.
b9871a137c86a7af7a3f259af24481816299cde62d5eef695abcb78150bb320f
GitLab version 13.10.2 remote code execution exploit that provides a reverse shell.
a3816f4a73b68abc9aa497e0982428e2bde3d7b0a005094907ca8484d9f39f60
This Metasploit module exploits an unauthenticated file upload and command injection vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The patched versions are 13.10.3, 13.9.6, and 13.8.8. Exploitation will result in command execution as the git user.
674d3772ec48b70f0ba624c93a36ffde9a6d313b18359aa19702fc270257ff56
Gitlab version 13.9.3 authenticated remote code execution exploit.
caf8edec9ec8c7e7c6f9952908afef2e43a89a4f0838ce4fa452b92c75110fc9
GitLab Community Edition (CE) version 13.10.3 suffers from multiple user enumeration vulnerabilities.
5d420382a54e49ae96ced981f0727ae390e51d108048932dd69d45374578bae6
GitLab version 11.4.7 authenticated remote code execution exploit. Original discovery of this issue attributed to Mohin Paramasivam in December of 2020.
c9c6f0c8706abfa0c67bcf3a71b777f57f857eb79b6d8aa441fb831112e3fa13
GitLab version 11.4.7 authenticated remote code execution exploit.
a366323b7d7d1eea7a69c2b0ccda38033cdfe86c919d53827d40042fd3be1f7d
Gitlab version 11.4.7 authenticated remote code execution exploit.
060ec27bc199fb9c231243a34947bcd6f792298a67ae1f4ab3d023368297fe8d
This Metasploit module provides remote code execution against GitLab Community Edition (CE) and Enterprise Edition (EE). It combines an arbitrary file read to extract the Rails secret_key_base, and gains remote code execution with a deserialization vulnerability of a signed experimentation_subject_id cookie that GitLab uses internally for A/B testing. Note that the arbitrary file read exists in GitLab EE/CE 8.5 and later, and was fixed in 12.9.1, 12.8.8, and 12.7.8. However, the RCE only affects versions 12.4.0 and above when the vulnerable experimentation_subject_id cookie was introduced. Tested on GitLab 12.8.1 and 12.4.0.
a2fd5f023f224556722696d725ba298281ba4faa6ff9fad55afc78efcb2c8cd0
Gitlab version 12.9.0 authenticated arbitrary file read exploit. A file read vulnerability was previously discovered in this version in May of 2020 by KouroshRZ.
3fa20aa2a7c614b9b11d6fbc0c9ba54d294469d6ed5ae63e80764789e70be637
GitLab version 12.9.0 suffers from an arbitrary file read vulnerability.
886edf401f7e35b4647cd8d0a4cebece4fd3d286dd2d4f2f8fc58ced4c72a12d
Jenkins Gitlab Hook plugin version 1.4.2 suffers from a cross site scripting vulnerability.
38931217cabd4d17c01cf04d878ac4d8c49d23973f783f5ba2fd442676454822
Gitlab Omnibus versions 7.4 through 12.2.1 suffer from a privilege escalation vulnerability that leverages a race condition in logrotate, resulting in a root shell.
ec5a0ad6e611974c35fee35b42232d35320003024968f9c8ab932cae0dd24449
NPMJS gitlabhook version 0.0.17 suffers from a remote command execution vulnerability.
fc0c7dc65272d0340670454bc0b33b55ca658d8d6e7f4ccd7894b23f4a32858a
Debian Linux Security Advisory 4206-1 - Several vulnerabilities have been discovered in Gitlab, a software platform to collaborate on code.
b90e604494b3ffae9f36761ced67f9dddbd660ef359a92d76210c3f564e6c64f