CVE-2023-6386: Allocation of Resources Without Limits or Throttling in GitLab
First published: Wed Feb 05 2025(Updated: )
A denial of service vulnerability was identified in GitLab CE/EE, affecting all versions from 15.11 prior to 16.6.7, 16.7 prior to 16.7.5 and 16.8 prior to 16.8.2 which allows an attacker to spike the GitLab instance resource usage resulting in service degradation.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab | >=15.11<16.6.7<16.7.5<16.8.2 |
Remedy
Upgrade to versions 16.6.7, 16.7.5, 16.8.2 or above.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-6386?
CVE-2023-6386 is classified as a denial of service vulnerability that can lead to service degradation.
How do I fix CVE-2023-6386?
To mitigate CVE-2023-6386, upgrade your GitLab CE/EE to version 16.6.7 or later for version 15.11, or 16.7.5 for version 16.7, or 16.8.2 for version 16.8.
Which versions of GitLab are affected by CVE-2023-6386?
CVE-2023-6386 affects GitLab CE/EE versions from 15.11 to 16.6.6, 16.7 to 16.7.4, and 16.8 to 16.8.1.
What types of attacks can CVE-2023-6386 facilitate?
CVE-2023-6386 can be exploited to execute denial of service attacks by spiking resource usage on GitLab instances.
Is CVE-2023-6386 being actively exploited?
There have been reports indicating that CVE-2023-6386 is being actively exploited in the wild.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/source
- agent/title
- agent/description
- agent/references
- agent/type
- agent/first-publish-date
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- vendor/gitlab
- canonical/gitlab