An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLabs Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gitlab | Gitlab | 8.4 (including) | 16.10.7 (excluding) |
| Gitlab | Gitlab | 16.11.0 (including) | 16.11.4 (excluding) |
| Gitlab | Gitlab | 17.0 (including) | 17.0.2 (including) |
| Gitlab | Gitlab | 17.0 (including) | 17.0.2 (excluding) |
| Gitlab | Ubuntu | esm-apps/xenial | * |
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.