Rule History

SID: 10008999 • Source: ptrules/open

Versions (7)

Version DetailsCurrent

Rev: 2 • Jul 24, 2025, 5:44 PM

Message:

ATTACK [PTsecurity] GitLab Arbitrary File Read (CVE-2023-2825)

Rule:

alert http any any -> any any (msg: "ATTACK [PTsecurity] GitLab Arbitrary File Read (CVE-2023-2825)"; flow: established, to_server; http.uri.raw; content: "/uploads/"; nocase; content: "%2f..%2f"; nocase; distance: 0; pcre: "/\/+([a-zA-Z0-9_-]+\/+){5,}uploads\/+/I"; reference: url, labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis; reference: cve, 2023-2825; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10008999; rev: 2;)

Created:

Jul 24, 2025, 5:44 PM

Updated:

Jul 24, 2025, 5:44 PM

DB Created:

Oct 16, 2025, 10:34 AM

DB Updated:

Oct 16, 2025, 10:34 AM

Filename:

rules/ptopen-attacks.rules