First published: Mon Nov 06 2023(Updated: )
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.3 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A Regular Expression Denial of Service was possible by adding a large string in timeout input in gitlab-ci.yml file.
Credit: cve@gitlab.com
Affected Software | Affected Version | How to fix |
---|---|---|
GitLab GitLab | >=12.3.0<16.3.6 | |
GitLab GitLab | >=12.3.0<16.3.6 | |
GitLab GitLab | >=16.4.0<16.4.2 | |
GitLab GitLab | >=16.4.0<16.4.2 | |
GitLab GitLab | =16.5.0 | |
GitLab GitLab | =16.5.0 |
Upgrade to version 16.5.1, 16.4.2, 16.3.6
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-3909 is a vulnerability in GitLab that allows for uncontrolled resource consumption.
All versions starting from 12.3 before 16.3.6, all versions starting from 16.4 before 16.4.2, and version 16.5.0 are affected by CVE-2023-3909.
CVE-2023-3909 has a severity value of 6.5, which is considered medium.
To fix CVE-2023-3909, update GitLab to version 16.3.6, 16.4.2, or 16.5.1.
You can find more information about CVE-2023-3909 on the GitLab issue page (https://gitlab.com/gitlab-org/gitlab/-/issues/418763) and the HackerOne report (https://hackerone.com/reports/2050269).