CVE-2024-1736

Published: Jun 12, 2024Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's CI/CD pipeline editor could allow for denial of service attacks through maliciously crafted configuration files.

Affected (6)

Products: Gitlab: Gitlab

1 product

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	Before 16.10.7
Gitlab Gitlab	From 16.11.0 to 16.11.4
Gitlab Gitlab	From 17.0.0 to 17.0.2
Gitlab Gitlab	Before 16.10.7
Gitlab Gitlab	From 16.11.0 to 16.11.4
Gitlab Gitlab	From 17.0.0 to 17.0.2

Related CWEs

Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

References (6)

https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-ci-interpolation-fix-bypass

Source: cve@gitlab.com

Release NotesVendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/442695

Source: cve@gitlab.com

Vendor Advisory

https://hackerone.com/reports/2358689

Source: cve@gitlab.com

Third Party Advisory

https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-ci-interpolation-fix-bypass

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/442695

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://hackerone.com/reports/2358689

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.