CVE-2024-2454: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. The pins endpoint is susceptible to Denial of Service (DoS) through a crafted request. This vulnerability has been assigned CVE-2024-2454 with a CVSS v3.1 base score of 6.5 (Medium) (NVD).

The vulnerability is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U), with no impact on confidentiality (C:N) or integrity (I:N), but high impact on availability (A:H) as demonstrated by the CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (GitLab Release).

The vulnerability can lead to a Denial of Service condition through the pins endpoint, potentially affecting the availability of the GitLab instance. The attack specifically targets resource allocation, which could result in system performance degradation or service interruption (GitLab Release).

GitLab has released patches to address this vulnerability in versions 16.9.7, 16.10.5, and 16.11.2. Users are strongly recommended to upgrade to these patched versions immediately. GitLab.com has already been updated with the necessary fixes (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by security researcher ac7n0w. GitLab has classified this as a medium severity issue and included it in their scheduled security release (GitLab Release).