CVE-2023-6159: 
GitLab vulnerability analysis and mitigation

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in GitLab CE/EE, identified as CVE-2023-6159. The vulnerability affects all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. The issue allows attackers to trigger a ReDoS attack through maliciously crafted input in a Cargo.toml file (GitLab Advisory).

The vulnerability stems from improper handling of regular expressions in the Cargo.toml blob viewer functionality. The issue occurs when the application processes user input directly in regex patterns without proper validation. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The weakness is classified as CWE-1333 (Inefficient Regular Expression Complexity) (NVD).

When exploited, this vulnerability can cause denial of service at the backend by consuming high CPU resources. The attack can be repeated to affect multiple CPU cores, potentially leading to a complete denial of service of the GitLab instance (GitLab Issue).

GitLab has released patches in versions 16.6.6, 16.7.4, and 16.8.1 to address this vulnerability. Organizations running affected versions are strongly recommended to upgrade to the patched versions immediately. GitLab.com and GitLab Dedicated environments have already been updated with the security fixes (GitLab Advisory).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by researcher yvvdwf. GitLab has acknowledged and addressed the issue as part of their security release process (GitLab Advisory).