CVE-2024-8124

Sept. 17, 2024, 12:15 p.m.

7.5
High

Description

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service via sending a specific POST request.

Product(s) Impacted

Vendor Product Versions
Gitlab
  • Gitlab
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-1333
Inefficient Regular Expression Complexity
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a gitlab gitlab / / / / community / / /
a gitlab gitlab / / / / enterprise / / /
a gitlab gitlab / / / / community / / /
a gitlab gitlab / / / / enterprise / / /
a gitlab gitlab / / / / community / / /
a gitlab gitlab / / / / enterprise / / /

References

https://gitlab.com/gitlab-org/gitlab/-/issues/480533
https://hackerone.com/reports/2634880

Tags

cve@gitlab.com
CWE-1333
2024-09-12
CVE-2024-8124

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: Sept. 12, 2024, 5:15 p.m.
Last Modified: Sept. 17, 2024, 12:15 p.m.

Status : Modified

CVE has been amended by a source (CVE Primary CNA or another CNA). Analysis data supplied by the NVD may be no longer be accurate due to these changes.

More info

Source

cve@gitlab.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.