CVE-2023-6736: 
GitLab vulnerability analysis and mitigation

A ReDoS (Regular Expression Denial of Service) vulnerability was discovered in GitLab Enterprise Edition (EE) affecting all versions from 11.3 before 16.7.6, versions from 16.8 before 16.8.3, and versions from 16.9 before 16.9.1. The vulnerability allows attackers to cause a client-side denial of service by using maliciously crafted content in the CODEOWNERS file (GitLab Security, NVD).

The vulnerability exists in the Codeowners reference extractor component, specifically in the email address validation regular expression. The problematic regex pattern could be exploited through carefully crafted input in the CODEOWNERS file, leading to excessive CPU consumption. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with low attack complexity and requiring low privileges (GitLab Security).

When exploited, the vulnerability can cause significant CPU consumption and make the GitLab instance temporarily inaccessible. The attack can be sustained with approximately 10 requests per minute, effectively creating a denial of service condition that affects system availability (GitLab Issue).

The vulnerability has been fixed in GitLab versions 16.7.6, 16.8.3, and 16.9.1. Organizations are strongly recommended to upgrade to these or later versions immediately. GitLab.com has already been updated with the patched version (GitLab Security).