GitLab
aka Gitea (similar)
Self-hosted Git platform. Repositories leak secrets and CI tokens, and notable CVEs give unauthenticated RCE (ExifTool) and zero-click account takeover.
Ports
| Port | Proto | Notes |
|---|---|---|
80 | tcp | HTTP |
443 | tcp | HTTPS |
22 | tcp | Git over SSH |
Fingerprint
- GitLab login page; /help and /api/v4/version reveal the version
- Sign-up sometimes open for self-registration
Key files
| Path | Holds | Sensitive |
|---|---|---|
/etc/gitlab/gitlab.rb | main config, initial root password | sensitive |
/etc/gitlab/gitlab-secrets.json | secret keys for tokens and CI | sensitive |
repository contents / CI variables | hardcoded creds, deploy tokens | sensitive |
Default / weak creds
root password set on first visit; weak user creds
Service users
git
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2021-22205 | Unauthenticated RCE via ExifTool image parsing |
| CVE-2023-7028 | Account takeover via password reset to an arbitrary email |
Exploitation primitives
- Enumerate public/internal projects for secrets and CI/CD tokens
- CVE-2021-22205: upload a crafted image for unauthenticated RCE as git
- CVE-2023-7028: reset another user's password to your email
Overview
GitLab hosts source and pipelines, so it concentrates secrets (CI variables, deploy tokens) and has a history of high-impact CVEs. Always read what the repos themselves contain.
Enumeration
Version via the API (if anon/token allowed):
curl -s http://<TARGET>/api/v4/versionVersion from the help page:
curl -s http://<TARGET>/help | grep -i versionThen browse public and internal projects for hardcoded tokens and credentials.
Hardening
Disable open registration, patch promptly (ExifTool, reset CVEs), scope CI tokens, and protect gitlab-secrets.json.