cbcvebase.
CVE-2023-0921
published 2023-06-06

CVE-2023-0921: A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an…

PriorityP340medium4.3CVSS 3.1
AVNACLPRLUINSUCNINAL
EPSS
84.44%
99.7th percentile
A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 15.10.8+ds1-2 (sid)gitlab 15.10.8+ds1-2 (sid)
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab>= 15.11.0 < 15.11.715.11.7
gitlabgitlab>= 16.0.0 < 16.0.216.0.2
gitlabgitlab>= 8.3.0 < 15.10.815.10.8
gitlabgitlab_ce

Detection & IOCsextracted from sources · hover to see the quote

  • An authenticated attacker creates an oversized Issue description via GraphQL API; repeated retrieval of this issue saturates CPU usage — monitor for abnormally large GraphQL mutation payloads targeting Issue description fields combined with high-frequency read requests for the same issue.
  • ·Affected versions span a very wide range (8.3 through 16.0.1); fixed versions are 15.10.8, 15.11.7, and 16.0.2 — ensure GitLab CE/EE is patched to one of these releases.
  • ·Debian sid resolves the issue with package version 15.10.8+ds1-2; verify the installed package version on Debian-based deployments.

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
osv4.3MEDIUM
vendor_debian4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.