CVE-2023-0121: 
GitLab vulnerability analysis and mitigation

A denial of service (DoS) vulnerability was discovered in GitLab CE/EE affecting all versions starting from 13.2.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, and all versions starting from 16.0 before 16.0.2. The vulnerability allows attackers to cause high resource consumption using malicious test report artifacts (GitLab Security Release).

The vulnerability exists in GitLab's handling of test report artifacts. An attacker can upload a crafted gzip file (essentially a zip bomb) as a JUnit test report artifact to a CI job, which can cause DoS in both Sidekiq (background jobs) and Puma (web server) through excessive memory use and OOMKills. The issue has been assigned a CVSS score of 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicating medium severity (GitLab Security Release).

The vulnerability can cause two types of DoS impacts: 1) Sidekiq DoS - where an attacker can cause a Sidekiq worker to be OOMKilled by a simple CI job file upload, interrupting background jobs and potentially affecting any user in the GitLab instance, and 2) Puma/GitLab API DoS - where unauthenticated requests can make Puma try to decompress a previously uploaded large zip file, causing excessive CPU resources and memory usage leading to OOMKills, potentially making GitLab unusable for all users (GitLab Issue).

The vulnerability has been fixed in GitLab versions 15.10.8, 15.11.7, and 16.0.2. Users are strongly recommended to upgrade to one of these patched versions immediately. GitLab.com has already been updated with the patched version (GitLab Security Release).