CVE-2021-22246: 
GitLab vulnerability analysis and mitigation

A denial of service vulnerability (CVE-2021-22246) was discovered in GitLab versions before 14.0.2, 13.12.6, and 13.11.6. The vulnerability affects the GitLab Webhook feature, which could be abused to perform denial of service attacks. The issue was disclosed on August 20, 2021, and received a CVSS v3.1 base score of 6.5 (MEDIUM) (NVD).

The vulnerability is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The issue stems from GitLab Webhooks not properly obeying timeouts, allowing connections to persist indefinitely. When exploited, the webhook server can respond in a way that causes the HTTP(S) connection between the GitLab sidekiq process and the webhook server to never terminate, while keeping large amounts of data in memory (GitLab Issue).

The vulnerability can lead to significant resource consumption and system degradation. When exploited, it can result in never-ending HTTP(S) connections remaining open, depletion of connection pools, excessive memory reservation, system slowdown, and potential process termination due to out-of-memory conditions. The impact affects not just project webhooks but any use of Gitlab::HTTP.post, including system webhooks and integrations (GitLab Issue).

The vulnerability was patched in GitLab versions 14.0.2, 13.12.6, and 13.11.6. Users should upgrade to these versions or later to protect against this vulnerability (NVD).