CVE-2024-1066: 
GitLab vulnerability analysis and mitigation

A resource exhaustion vulnerability (CVE-2024-1066) was discovered in GitLab Enterprise Edition (EE) affecting all versions from 13.3.0 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2. The vulnerability was discovered internally by GitLab team member Brian Williams and disclosed on February 7, 2024 (GitLab Release).

The vulnerability exists in the GraphQL vulnerabilitiesCountByDay API endpoint, which is used to show the count of vulnerabilities over time on the security dashboard. The issue stems from the lack of limits on date range parameters, allowing attackers to request data between arbitrary dates. The implementation iterates through every date in the range before pagination is applied, which can result in Ruby attempting to build an array of infinite size in memory. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can lead to resource exhaustion, potentially consuming 100% of memory and CPU with a single request. In testing, a malicious request could cause the Ruby process to consume over 7.4GB of memory within 5 minutes, with memory consumption continuing to grow even after request timeout (GitLab Issue).

The vulnerability has been fixed in GitLab versions 16.6.7, 16.7.5, and 16.8.2. Organizations running affected versions should upgrade to the patched versions immediately. The fix involves implementing proper limits on date ranges and improving the handling of date iterations in the GraphQL resolver (GitLab Release).