CVE-2024-3114: 
GitLab vulnerability analysis and mitigation

A regular expression Denial of Service (ReDoS) vulnerability was discovered in GitLab CE/EE, identified as CVE-2024-3114. The vulnerability affects all versions from 11.10 up to (but not including) 17.0.6, 17.1.4, and 17.2.2. The issue lies in the processing logic for parsing invalid commits, which can lead to a regular expression DoS attack on the server (GitLab Release, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, while GitLab Inc. assessed it with a Base Score of 4.3 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. The vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity) (NVD).

The vulnerability can result in a Denial of Service condition through regular expression-based attacks when parsing invalid commits, potentially affecting server availability (GitLab Release).

GitLab has released patches to address this vulnerability in versions 17.0.6, 17.1.4, and 17.2.2. Users are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by researcher joaxcar (GitLab Release).