4.3

CVE-2023-0921

Allocation of Resources Without Limits or Throttling in GitLab

A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GitlabGitLab SwEditioncommunity Version >= 8.3.0 < 15.10.8
GitlabGitLab SwEditionenterprise Version >= 8.3.0 < 15.10.8
GitlabGitLab SwEditioncommunity Version >= 15.11.0 < 15.11.7
GitlabGitLab SwEditionenterprise Version >= 15.11.0 < 15.11.7
GitlabGitLab SwEditioncommunity Version >= 16.0.0 < 16.0.2
GitlabGitLab SwEditionenterprise Version >= 16.0.0 < 16.0.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 84.44% 0.997
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
cve@gitlab.com 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0921.json
Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/392433
Vendor Advisory
Issue Tracking
https://hackerone.com/reports/1869839
Third Party Advisory
Permissions Required