This issue has been resolved in all affected versions. As a result, all Git repositories with large numbers of branches and tags, or large numbers of merge requests were potentially vulnerable.
In order to prevent the situation where a GitLab administrator with limited permissions might accidentally consume all server resources, the server memory limit was introduced. For more information on the server memory limit, see the documentation on the settings page.
If a GitLab administrator noticed that a large number of Git repositories had been imported by a single user, he/she could check the number of imported repositories in the activity tab of that user. A large number of imported repositories could indicate that a malicious administrator had been importing large numbers of malicious projects.
Summary
The server memory limit is a new setting introduced to prevent a situation where a malicious administrator might consume all server resources.
GitLab administrators with limited permissions could have imported malicious projects, but the number of imported repositories indicates whether this has happened.
How to verify if your installation is vulnerable?
To verify that your installation is vulnerable, run:
sudo gitlab-rake gitlab:check_vuln
If this command returns a non-zero exit code, then your installation is vulnerable.
Improvement to the Server Memory Limit
Since GitLab 7.6.0, the server memory limit has been introduced to prevent malicious administrators from consuming all available resource on the GitLab server. The settings page now displays how many repositories have been imported by a single user over a given period of time.
If you see that an administrator has imported large numbers of projects, contact your GitLab administrator immediately to report this issue.
Timeline
Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/19/2022 18:16:00 UTC