漏洞描述
Gitlab Wiki API是一组用于对Gitlab项目Wiki页面进行创建、编辑、列表、删除等功能的接口。该API在处理外部输入时未做有效过滤,导致攻击者构造特定的恶意请求,可以在目标服务器上执行任意代码命令。需要private_token,以及需要一个project的id拼接成的路径,project=8拼接:(/api/v4/projects/8/wikis/attachments)
Gitlab Wiki API 远程命令执行漏洞(CVE-2018-18649)
PoC代码
暂无相关漏洞推荐
- gitlab-api-user-enum: GitLab - User Information Disclosure Via Open API
- POC CVE-2024-45409: GitLab - SAML Authentication Bypass
- POC CVE-2025-25291: GitLab - SAML Authentication Bypass
- POC CVE-2019-6793: GitLab Enterprise Edition - Server-Side Request Forgery
- POC CVE-2020-2096: Jenkins Gitlab Hook <=1.4.2 - Cross-Site Scripting
- POC CVE-2020-26413: Gitlab CE/EE 13.4 - 13.6.2 - Information Disclosure
- POC CVE-2021-22205: GitLab CE/EE - Remote Code Execution
- POC CVE-2021-22214: Gitlab CE/EE 10.5 - Server-Side Request Forgery
- POC CVE-2021-4191: GitLab GraphQL API User Enumeration
- POC CVE-2022-0735: GitLab CE/EE - Information Disclosure
- POC CVE-2022-1162: GitLab CE/EE - Hard-Coded Credentials
- POC CVE-2022-2185: GitLab CE/EE - Remote Code Execution
- POC CVE-2023-2825: GitLab 16.0.0 - Path Traversal