An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLabs Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.
Weakness
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gitlab | Gitlab | 8.4 (including) | 16.10.7 (excluding) |
| Gitlab | Gitlab | 16.11.0 (including) | 16.11.4 (excluding) |
| Gitlab | Gitlab | 17.0 (including) | 17.0.2 (including) |
| Gitlab | Gitlab | 17.0 (including) | 17.0.2 (excluding) |
| Gitlab | Ubuntu | esm-apps/xenial | * |
Extended Description
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.
Potential Mitigations
Related Attack Patterns
References
- https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-asana-integration-issue-mapping-when-webhook-is-called
- https://gitlab.com/gitlab-org/gitlab/-/issues/443577
- https://hackerone.com/reports/2376482
- https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-asana-integration-issue-mapping-when-webhook-is-called
- https://gitlab.com/gitlab-org/gitlab/-/issues/443577
- https://hackerone.com/reports/2376482