CVE-2024-8177: 
GitLab vulnerability analysis and mitigation

An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.4.5, starting from 17.5 prior to 17.5.3, and starting from 17.6 prior to 17.6.1 which could cause Denial of Service via integrating a malicious harbor registry (GitLab Release, NVD).

The vulnerability stems from a lack of response size checking in the Gitlab::Harbor::Client.get method. When a /harbor/repositories page is requested, the GitLab server connects to the Harbor registry server to fetch information. Due to the missing size check, an attacker-controlled Harbor registry server can send responses with large body (300MB JSON file) to the GitLab application, which are then parsed by Gitlab::Json consuming significant RAM. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (GitLab Issue, NVD).

The exploitation of this vulnerability can lead to a complete service outage. Triggering just two requests from GitLab to a malicious Harbor registry server is sufficient to consume all available memory of a 1k-users self-managed GitLab EE instance, making it unreachable for legitimate users (GitLab Issue).

The vulnerability has been patched in GitLab versions 17.4.5, 17.5.3, and 17.6.1. Users are strongly recommended to upgrade to these versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).