Lucene search

[email protected]NVD:CVE-2023-3424

HistoryJul 13, 2023 - 3:15 a.m.

CVE-2023-3424

2023-07-1303:15:10

CWE-400

CWE-1333

[email protected]

web.nvd.nist.gov

gitlab

regular expression denial of service

vulnerability

preview_markdown

crafted payloads

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

38.4%

JSON

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.

Affected configurations

Nvd

Node

gitlabgitlabRange10.3.0–15.11.10community

gitlabgitlabRange10.3.0–15.11.10enterprise

gitlabgitlabRange16.0.0–16.0.6community

gitlabgitlabRange16.0.0–16.0.6enterprise

gitlabgitlabRange16.1.0–16.1.1community

gitlabgitlabRange16.1.0–16.1.1enterprise

VendorProductVersionCPE
gitlabgitlab*cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
gitlabgitlab*cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Vendor	Product	Version	CPE
gitlab	gitlab	*	cpe:2.3:a:gitlab:gitlab:::::community:::*
gitlab	gitlab	*	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

References

gitlab.com/gitlab-org/gitlab/-/issues/409802

hackerone.com/reports/1960970

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

38.4%

JSON

Related for NVD:CVE-2023-3424

debiancve1 veracode1 cve1 osv2 nessus2 cvelist1 ubuntucve1 prion1 freebsd1