CVE-2022-4131: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, and all versions starting from 15.7 before 15.7.2. The vulnerability allows an attacker to cause Denial of Service on a GitLab instance by exploiting a regex issue in how the application parses user agents (NVD, GitLab Release).

The vulnerability is classified as a Regular Expression Denial of Service (ReDoS) issue with a CVSS v3.1 Base Score of 4.3 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. The issue is related to CWE-1333 (Inefficient Regular Expression Complexity) and affects the device-detector component used for parsing user agent strings (NVD).

When exploited, this vulnerability can cause high CPU usage and lead to Denial of Service conditions on affected GitLab instances. The impact requires authenticated access, as attackers must have valid credentials to exploit the vulnerability (GitLab Release).

The vulnerability has been fixed in GitLab versions 15.5.7, 15.6.4, and 15.7.2. Users are strongly recommended to upgrade to one of these patched versions immediately. GitLab.com is already running the patched version (GitLab Release).

The vulnerability was reported through GitLab's HackerOne bug bounty program by researcher 'afewgoats'. GitLab has classified this as a medium severity issue and included it in their security release along with several other security fixes (GitLab Release).