CVE-2022-2908: 
GitLab vulnerability analysis and mitigation

A potential Denial of Service (DoS) vulnerability was discovered in GitLab CE/EE versions starting from 10.7 before 15.1.5, all versions starting from 15.2 before 15.2.3, and all versions starting from 15.3 before 15.3.1. The vulnerability allows an attacker to trigger high CPU usage via specially crafted input in the Commit message field (GitLab Release, CVE Mitre).

The vulnerability is caused by a Regular Expression Denial of Service (ReDoS) issue in the commit message field. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L), indicating medium severity. The issue specifically involves the committrailersfilter.rb component, where improper handling of specially crafted input can lead to catastrophic backtracking in regular expression processing (GitLab Release).

When exploited, this vulnerability can cause high CPU usage on the GitLab server, potentially leading to a denial of service condition. The attack requires authentication and can be triggered through the Commit message field (GitLab Release).

The vulnerability has been fixed in GitLab versions 15.1.6, 15.2.4, and 15.3.2. Users are strongly recommended to upgrade to these or later versions immediately. GitLab.com has already been updated with the patched version (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by researcher ryhmnlfj (GitLab Release).