CVE-2024-1066 — Allocation of Resources Without Limits or Throttling in Gitlab

CWE-770 — Allocation of Resources Without Limits or Throttling CWE-400 — Uncontrolled Resource Consumption CWE-456 — Missing Initialization of a Variable6 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 80.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE

Timeline

PublishedFeb 7

Latest updateMar 18

Description

An issue has been discovered in GitLab EE affecting all versions from 13.3.0 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows an attacker to do a resource exhaustion using GraphQL `vulnerabilitiesCountByDay`

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5gitlab/gitlab13.3.3 — 16.6.7+2

▶NVDgitlab/gitlab13.3.0 — 16.6.7+2

▶debiandebian/gitlab< gitlab 16.6.7-1 (sid)

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

🔴Vulnerability Details

GHSA

GHSA-89x8-fvq4-x5w3: An issue has been discovered in GitLab EE affecting all versions from 13↗2024-02-08

▶

OSV

CVE-2024-1066: An issue has been discovered in GitLab EE affecting all versions from 13↗2024-02-07

▶

📋Vendor Advisories

Red Hat

kernel: nbd: always initialize struct msghdr completely↗2024-03-18

▶

GitLab

CVE-2024-1066: An issue has been discovered in GitLab EE affecting all versions from 13.3.0 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which all↗2024-02-07

▶

Debian

CVE-2024-1066: gitlab - An issue has been discovered in GitLab EE affecting all versions from 13.3.0 pri...↗2024

▶