CVE-2023-3994 – A Regular Expression Denial of Service in GitLab CE/EE: Analyzing the Vulnerability and Exploit Details

A security vulnerability has been discovered in GitLab CE/EE, affecting all versions starting from 9.3 before 16..8, all versions starting from 16.1 before 16.1.3, and all versions starting from 16.2 before 16.2.2. This vulnerability, assigned as CVE-2023-3994, is a Regular Expression Denial of Service (ReDoS) issue that allows attackers to send specially crafted payloads using ProjectReferenceFilter to the preview_markdown endpoint.

This post will cover a detailed analysis of this vulnerability, including code snippets, links to original references, and an explanation of the exploit. The content will be written in simple and clear American English, making it easy for readers to understand the details of this critical issue.

Introduction

GitLab is one of the most popular web-based Git repository managers, allowing for collaborative development and source code management. Its Community Edition (CE) and Enterprise Edition (EE) offerings are used by many organizations worldwide. Unfortunately, a security vulnerability has been discovered affecting multiple versions of GitLab CE/EE.

Vulnerability Details

CVE-2023-3994 is a Regular Expression Denial of Service (ReDoS) vulnerability. This type of vulnerability occurs when an attacker supplies a malicious input to a target application which results in a regular expression engine consuming excessive resources causing a service outage or performance degradation. In the case of GitLab, this specific vulnerability affects the preview_markdown endpoint and is exploited by sending crafted payloads using ProjectReferenceFilter.

The vulnerability affects all GitLab CE/EE versions starting from 9.3 before 16..8, all versions starting from 16.1 before 16.1.3, and all versions starting from 16.2 before 16.2.2.

Exploit Details

To exploit this vulnerability, an attacker would send crafted payloads designed to match a complex regular expression, causing the targeted system to consume excessive resources. Here's an example of a payload which could exploit this issue:

user
   |
   |- [^[:alnum:]_\.-\n]+
   |                            _payload_                     payload           |
'---------------.-----------'-----------'----.----'---------------------------------'

This payload targets the ProjectReferenceFilter by using a complex sequence of characters that could cause the regular expression engine to consume excessive resources and degrade the performance of GitLab.

The attacker would then send this payload to the vulnerable preview_markdown endpoint using a HTTP request like below:

POST /api/v4/markdown/preview_markdown HTTP/1.1
Host: victim.gitlab.com
Content-Type: application/json
{
  "text": "The crafted payload goes here...",
  "project": "victim/project"
}

Upon processing this request, the GitLab server would become overwhelmed and possibly result in a denial of service or performance degradation.

Original References

The vulnerability was first disclosed in the GitLab Security Advisory. This advisory provides details about the affected versions and recommended remediation actions.

GitLab also published a merge request to resolve the issue, which explains the technical details and provides a patch to fix the vulnerability.

Conclusion

CVE-2023-3994 is a critical Regular Expression Denial of Service (ReDoS) vulnerability affecting various GitLab CE/EE versions. It is crucial for organizations and users using these GitLab versions to update their software and apply the recommended patches as soon as possible. By doing so, they can protect themselves from potential exploitation attempts and ensure the continued security and performance of their GitLab instances.

Timeline

Published on: 08/02/2023 01:15:00 UTC
Last modified on: 08/04/2023 19:21:00 UTC