CVE-2022-1954: 
GitLab vulnerability analysis and mitigation

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in GitLab CE/EE affecting all versions from 1.0.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. The vulnerability was assigned CVE-2022-1954 and was disclosed on June 30, 2022. The issue affects both GitLab Community Edition (CE) and Enterprise Edition (EE) installations (GitLab Release).

The vulnerability exists in GitLab's handling of web server response headers. The issue stems from a regular expression operation with quadratic complexity in Ruby's net/http library when processing webhook responses. When processing header lines, the code uses a sub regex operation that exhibits extreme backtracking behavior when encountering specially crafted headers containing many consecutive spaces. The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Medium) and CVSS v2.0 score of 5.0 (Medium) (NVD).

When exploited, this vulnerability allows an attacker to make a GitLab instance inaccessible through specially crafted web server response headers. The impact includes CPU exhaustion DoS, as the affected Sidekiq job can become stuck at 100% CPU utilization for extended periods. Additionally, the vulnerability can lead to memory exhaustion DoS and connection pool exhaustion by sending data slowly and keeping the socket open (GitLab Issue).

The vulnerability has been patched in GitLab versions 14.10.5, 15.0.4, and 15.1.1. Users are strongly recommended to upgrade their GitLab installations to one of these patched versions immediately. GitLab.com has already been updated with the patched version (GitLab Release).