CVE-2023-3909: 
GitLab vulnerability analysis and mitigation

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in GitLab CE/EE, tracked as CVE-2023-3909. The vulnerability affects all versions from 12.3 before 16.3.6, versions from 16.4 before 16.4.2, and versions from 16.5 before 16.5.1. The issue was discovered when large strings could be added to the timeout input in gitlab-ci.yml file, potentially causing a denial of service condition (GitLab Release, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H according to NVD's assessment, while GitLab's assessment gives it a score of 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. The vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity) (NVD).

The vulnerability can lead to a Denial of Service condition when exploited, affecting the availability of the GitLab instance. The impact is primarily focused on service availability, with no direct impact on confidentiality or integrity of the system (GitLab Release).

The vulnerability has been patched in GitLab versions 16.5.1, 16.4.2, and 16.3.6. Users are strongly recommended to upgrade to these versions or later to mitigate the vulnerability. The fix was released on October 31, 2023 (GitLab Release).

The vulnerability was reported through GitLab's HackerOne bug bounty program by researcher akadrian, demonstrating the effectiveness of GitLab's security response program (GitLab Release).