CVE-2022-1100 — Missing Release of Resource after Effective Lifetime in Gitlab

CWE-772 — Missing Release of Resource after Effective Lifetime CWE-120 — Classic Buffer Overflow CWE-121 — Stack-based Buffer Overflow CWE-674 — Uncontrolled Recursion7 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 62.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Github.com Vapor Vapor Debian Gitlab +1 more

Timeline

PublishedApr 4

Latest updateJun 7

Description

A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prior to 14.9.2. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages6 packages

▶NVDgitlab/gitlab13.1.0 — 14.7.7+2

▶debiandebian/gitlab< gitlab 15.10.8+ds1-2 (sid)

▶CVEListV5gitlab/gitlab>=13.1, <14.7.7, >=14.8, <14.8.5, >=14.9, <14.9.2+2

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

Vapor vulnerable to denial of service in URLEncodedFormDecoder↗2023-06-07

▶

GHSA

GHSA-fr4g-hmc7-w66h: A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13↗2022-04-05

▶

OSV

CVE-2022-1100: A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13↗2022-04-04

▶

💥Exploits & PoCs

Exploit-DB

Zyxel NWA-1100-NH - Command Injection↗2022-04-19

▶

📋Vendor Advisories

GitLab

CVE-2022-1100: A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prio↗2022-04-04

▶

Debian

CVE-2022-1100: gitlab - A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versi...↗2022

▶