CVE-2022-1100
published 2022-04-04CVE-2022-1100: A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prior to…
PriorityP421medium4.3CVSS 3.1
AVNACLPRLUINSUCNINAL
EPSS
0.89%
54.8th percentile
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prior to 14.9.2. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| github.com | vapor_vapor | >= 0 < 4.61.1 | 4.61.1 |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 13.1.0 < 14.7.7 | 14.7.7 |
| gitlab | gitlab | >= 14.8.0 < 14.8.5 | 14.8.5 |
| gitlab | gitlab | >= 14.9.0 < 14.9.2 | 14.9.2 |
| gitlab | gitlab_ce | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
osv4.3MEDIUM
vendor_debian4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Vapor vulnerable to denial of service in URLEncodedFormDecoder
ghsa·2023-06-07
CVE-2022-31019 [HIGH] CWE-120 Vapor vulnerable to denial of service in URLEncodedFormDecoder
Vapor vulnerable to denial of service in URLEncodedFormDecoder
Vapor is an HTTP web framework for Swift. Vapor versions earlier than 4.61.1 are vulnerable to a denial of service in the URLEncodedFormDecoder.
### Impact
When using automatic content decoding, e.g.
```swift
app.post("foo") { request -> String in
let foo = try request.content.decode(Foo.self)
return "\(foo)"
}
```
An attacker can craft a request body that can make the server crash with the following request:
```
curl -d "array[_0][0][array][_0][0][array]$(for f in $(seq 1100); do echo -n '[_0][0][array]'; done)[string][_0]=hello%20world" http://localhost:8080/foo
```
The issue is unbounded, attacker controlled stack growth which will at some point lead to a stack overflow.
### Patches
Fixed in 4.61.1
### Workarounds
If
GHSA
GHSA-fr4g-hmc7-w66h: A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13
ghsa_unreviewed·2022-04-05
CVE-2022-1100 [MEDIUM] CWE-772 GHSA-fr4g-hmc7-w66h: A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prior to 14.9.2. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage.
OSV
CVE-2022-1100: A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13
osv·2022-04-04·CVSS 4.3
CVE-2022-1100 [MEDIUM] CVE-2022-1100: A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prior to 14.9.2. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage.
GitLab
CVE-2022-1100: A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prio
vendor_gitlab·2022-04-04·CVSS 4.3
CVE-2022-1100 [MEDIUM] CWE-772 CVE-2022-1100: A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prio
CVE-2022-1100: A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prior to 14.9.2. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage.
Debian
CVE-2022-1100: gitlab - A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versi...
vendor_debian·2022·CVSS 4.3
CVE-2022-1100 [MEDIUM] CVE-2022-1100: gitlab - A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versi...
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prior to 14.9.2. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
No detection rules found.
No writeups or analysis indexed.
2022-04-04
Published