CVE-2022-3759: 
GitLab vulnerability analysis and mitigation

CVE-2022-3759 affects GitLab CE/EE versions starting from 14.3 before 15.6.7, all versions starting from 15.7 before 15.7.6, and all versions starting from 15.8 before 15.8.1. The vulnerability allows an attacker to upload a crafted CI job artifact zip file in a project that uses dynamic child pipelines, potentially causing a Denial of Service condition in GitLab instances where Sidekiq is memory-limited (GitLab Security, CVE Details).

The vulnerability exists in the ArtifactFileReader component where the yaml file size validation can be bypassed by manipulating the metadata entry's total_size property. The attacker can alter the 'uncompressed size' metadata entries in the artifact zip file to bypass size limitations meant to prevent excessive memory use. When reading the artifact file for the dynamic child pipeline feature, a background job checks that both the archive zip file itself and the reported uncompressed size of the pipeline yaml file inside it are under 5 megabytes. However, a 5 gigabyte empty file can be compressed into a 5 megabyte zip file, and by altering the metadata, this file can pass the size checks. The vulnerability has been assigned a CVSS score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) (GitLab Issue).

When exploited, this vulnerability can cause Sidekiq worker processes to be terminated by the Linux OOMKiller when they attempt to process the malicious artifact. In small self-hosted environments with a single Sidekiq node, this can cause background jobs to fail and their execution to be delayed. The attack can affect any user in the GitLab instance as much of GitLab's functionality relies on Sidekiq jobs. For instance, CI pipelines of other users may get interrupted or left in a 'pending' state (GitLab Issue).

The vulnerability has been patched in GitLab versions 15.6.7, 15.7.6, and 15.8.1. Organizations running affected versions should upgrade to one of these patched versions immediately. GitLab.com has already been updated with the patched version (GitLab Security).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by security researcher luryus. GitLab addressed the vulnerability promptly and included the fix in their security release (GitLab Security).