Bug 2228517 (CVE-2023-3364) - CVE-2023-3364 gitlab: ReDoS when sending crafted payloads which use AutolinkFilter
Summary: CVE-2023-3364 gitlab: ReDoS when sending crafted payloads which use AutolinkF...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2023-3364
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2228488
TreeView+ depends on / blocked
 
Reported: 2023-08-02 14:14 UTC by Borja Tarraso
Modified: 2023-10-09 13:16 UTC (History)
4 users (show)

Fixed In Version: gitlab 16.0.8, gitlab 16.1.3, gitlab 16.2.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-10-09 13:16:36 UTC
Embargoed:


Attachments (Terms of Use)

Description Borja Tarraso 2023-08-02 14:14:14 UTC
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use AutolinkFilter to the preview_markdown endpoint.


Note You need to log in before you can comment on or make changes to this bug.