CVE-2023-6489

EPSS 0.14%
Published 12.04.2024 01:15:57
Last modified 11.12.2024 19:06:06
Source cve@gitlab.com
Teams watchlist Login
Open Login

A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Gitlab ≫ Gitlab SwEditioncommunity Version >= 16.7.7 < 16.8.6

Gitlab ≫ Gitlab SwEditionenterprise Version >= 16.7.7 < 16.8.6

Gitlab ≫ Gitlab SwEditioncommunity Version >= 16.9.0 < 16.9.4

Gitlab ≫ Gitlab SwEditionenterprise Version >= 16.9.0 < 16.9.4

Gitlab ≫ Gitlab SwEditioncommunity Version >= 16.10.0 < 16.10.2

Gitlab ≫ Gitlab SwEditionenterprise Version >= 16.10.0 < 16.10.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.14%	0.352

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
cve@gitlab.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://gitlab.com/gitlab-org/gitlab/-/issues/433520

Broken Link

https://hackerone.com/reports/2262450

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2023-6489

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-6489

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-6489

EUVD