CVE-2022-3613: 
GitLab vulnerability analysis and mitigation

A vulnerability was discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, and all versions starting from 15.7 before 15.7.2. The issue involves a crafted Prometheus Server query that can cause high resource consumption and potentially lead to Denial of Service. This medium severity vulnerability was assigned CVE-2022-3613 and was reported through GitLab's HackerOne bug bounty program by researcher joaxcar (GitLab Security Release).

The vulnerability exists in GitLab's Grafana integration proxy endpoint. An unauthenticated user can send heavy PromQL queries to the endpoint (https://gitlab.example.com/group1/project1/-/grafana/proxy/), causing the Prometheus server to consume excessive resources. Testing showed that with just 20 asynchronous requests, a docker container with 16 cores could be forced to work at 100% CPU constantly. The vulnerability has a CVSS v3.1 score of 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L) (GitLab Security Release).

The impact of this vulnerability includes potential Denial of Service (DoS) of the Prometheus server and possible overall system state degradation. During testing, the Prometheus service became unresponsive to the point where it could not be restarted using normal commands, requiring a complete container restart. The severity of the impact depends on the amount of data on the Prometheus server, with larger production servers potentially being more vulnerable (GitLab Issue).

The vulnerability has been patched in GitLab versions 15.5.7, 15.6.4, and 15.7.2. Organizations are strongly recommended to upgrade to these or later versions immediately. The fix involves elevating access levels to Reporter+ for public projects while maintaining existing access controls for private/protected projects (GitLab Security Release).