CVE-2023-0518: 
GitLab vulnerability analysis and mitigation

An issue was discovered in GitLab CE/EE affecting all versions starting from 14.0 before 15.6.7, all versions starting from 15.7 before 15.7.6, and all versions starting from 15.8 before 15.8.1. The vulnerability allowed attackers to trigger a Denial of Service (DoS) attack by uploading a malicious Helm chart (GitLab Advisory, NVD).

The vulnerability stems from insufficient size validation when processing Helm chart packages. When a Helm chart file (.tar.gz) is uploaded, GitLab processes its metadata in a Sidekiq background job by reading the Chart.yaml file inside the tarball. The process lacks proper size checks, allowing attackers to create a Chart.yaml file of approximately 2GB (2147483647 bytes) that compresses to only a few megabytes, well under the default Helm chart file limit of 5 megabytes. The CVSS v3.1 base score is 4.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (GitLab Advisory).

When exploited, this vulnerability can cause Sidekiq workers to be terminated by the OOM (Out of Memory) Killer in Linux, as the worker attempts to read the entire 2GB file into memory. In small self-hosted GitLab environments with a single Sidekiq node, this can cause background jobs to fail and their execution to be delayed. This affects various GitLab functionalities that rely on Sidekiq jobs, including CI pipeline operations (GitLab Issue).

The vulnerability has been patched in GitLab versions 15.6.7, 15.7.6, and 15.8.1. Organizations running affected versions should upgrade to one of these patched versions immediately. GitLab.com has already been updated with the patched version (GitLab Advisory).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by security researcher 'luryus'. GitLab addressed the issue promptly and included the fix in their security release (GitLab Advisory).