An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in how the application parses user agents.
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gitlab | Gitlab | 10.8.0 (including) | 15.5.7 (excluding) |
| Gitlab | Gitlab | 15.6.0 (including) | 15.6.4 (excluding) |
| Gitlab | Gitlab | 15.7.0 (including) | 15.7.2 (excluding) |
| Gitlab | Ubuntu | esm-apps/xenial | * |
| Gitlab | Ubuntu | trusty | * |
| Gitlab | Ubuntu | xenial | * |
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.