CVE-2024-1963

Published: Jun 12, 2024Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.

Affected (6)

Products: Gitlab: Gitlab

1 product

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 16.11.0 to 16.11.4
Gitlab Gitlab	From 17.0 to 17.0.2
Gitlab Gitlab	From 8.4 to 16.10.7
Gitlab Gitlab	From 16.11.0 to 16.11.4
Gitlab Gitlab	From 17.0 to 17.0.2
Gitlab Gitlab	From 8.4 to 16.10.7

Related CWEs

Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

References (6)

https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-asana-integration-issue-mapping-when-webhook-is-called

Source: cve@gitlab.com

Release NotesVendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/443577

Source: cve@gitlab.com

Vendor Advisory

https://hackerone.com/reports/2376482

Source: cve@gitlab.com

Third Party Advisory

https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-asana-integration-issue-mapping-when-webhook-is-called

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/443577

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://hackerone.com/reports/2376482

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.