CVE-2024-1963: 
GitLab vulnerability analysis and mitigation

A vulnerability (CVE-2024-1963) was discovered in GitLab CE/EE affecting all versions from 8.4 prior to 16.10.7, from 16.11 prior to 16.11.4, and from 17.0 prior to 17.0.2. The vulnerability exists in GitLab's Asana integration, where an attacker could potentially cause a regular expression denial of service (ReDoS) by sending specially crafted requests (GitLab Release).

The vulnerability is related to a regular expression pattern used for checking issue references in data parsed during webhook calls in the Asana integration. The vulnerable regex pattern is located in app/models/integrations/asana.rb. The issue is triggered when processing commit messages or testing webhooks, where specially crafted input containing repeated patterns (such as repeated '#' characters) can cause catastrophic backtracking in the regular expression engine (GitLab Issue). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to denial of service of the GitLab instance through exhaustive resource consumption. When exploited, it can make the server unresponsive, particularly affecting the system's CPU usage. For a 1K reference architecture, an attack using 6 projects can send one request every second, which is sufficient to make the architecture unresponsive (GitLab Issue).

The vulnerability has been patched in GitLab versions 16.10.7, 16.11.4, and 17.0.2. Organizations are strongly recommended to upgrade to these or later versions immediately. GitLab.com is already running the patched version (GitLab Release).