CVE-2023-3904: 
GitLab vulnerability analysis and mitigation

An issue was discovered in GitLab Enterprise Edition (EE) affecting all versions before 16.4.4, versions from 16.5 before 16.5.4, and versions from 16.6 before 16.6.2. The vulnerability allowed for an overflow of the time spent value on an issue that could alter the details shown in the issue boards (NVD, GitLab Release).

The vulnerability is related to an unvalidated timeSpent value in the POST /api/graphql createTimelog operation. When exploited, it could cause the system to be unable to load issues on the Issue board. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (NVD).

The exploitation of this vulnerability could result in users being unable to view Time tracking reports and Issues on the Board. This affects the availability of issue management features, potentially disrupting project tracking and management workflows (GitLab Release).

The vulnerability has been fixed in GitLab versions 16.4.4, 16.5.4, and 16.6.2. Organizations are strongly recommended to upgrade to one of these patched versions immediately. GitLab.com has already been updated with the patched version (GitLab Release).