GitLab Security Release 16.2.2 (CVE-2023-3994, CVE-2023-3364)

9 views
Skip to first unread message

Fleury, Terry

unread,
Aug 2, 2023, 10:42:57 AM8/2/23
to cv-an...@trustedci.org

CI Operators:

GitLab has released v16.2.2 [1] to address several security vulnerabilities, two rated as "high" severity (CVSS v3 7.5/10). This release also addresses 12 "medium" severity vulnerabilities and one "low" severity vulnerability. 

 

Impact:

A Regular Expression Denial of Service (ReDoS) is possible by sending crafted payloads which use ProjectReferenceFilter (CVE-2023-3994 [2]) or AutolinkFilter (CVE-2023-3364 [3]) to the preview_markdown endpoint. 

 

Affected Software

  • GitLab < v16.0.8
  • GitLab 16.1.x < v16.1.3
  • GitLab 16.2.x < v16.2.2

 

Recommendation:

Update to the latest patched version of GitLab for your installation [4]. There are no recommended mitigations.

 

References:

[1] https://about.gitlab.com/releases/2023/08/01/security-release-gitlab-16-2-2-released/

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3994

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3364 

[4] https://about.gitlab.com/update/ 

 

How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.

 

Reply all
Reply to author
Forward
0 new messages