CVE-2022-1185: 
GitLab vulnerability analysis and mitigation

CVE-2022-1185 is a denial of service vulnerability affecting GitLab CE/EE versions 10 through 14.7.7, 14.8.0 through 14.8.5, and 14.9.0 through 14.9.2. The vulnerability was discovered and reported through GitLab's HackerOne bug bounty program by researcher vakzz and was disclosed on March 31, 2022 (GitLab Release).

The vulnerability allows an attacker to crash the GitLab web application by uploading a maliciously crafted RDoc file containing a specially designed regex pattern. The issue stems from a stack-buffer-overflow vulnerability in Ruby 2.7.x that can trigger a segmentation fault when compiling certain regular expressions during the RDoc rendering process. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability allows an attacker to cause denial of service by repeatedly requesting the malicious RDoc file, which crashes the Puma web server processes and prevents legitimate access to the GitLab instance. Even with a low request rate of 1 request per second, the attack can effectively bring down the service (GitLab Issue).

The vulnerability has been patched in GitLab versions 14.9.2, 14.8.5, and 14.7.7. Organizations running affected versions should upgrade immediately to one of these patched versions. GitLab.com was promptly updated with the security fix (GitLab Release).