CVE-2024-8233: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. The vulnerability allows an attacker to cause a denial of service by sending requests for diff files on a commit or merge request (GitLab Release, Security Online).

The vulnerability has been assigned a CVSS score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue stems from the lack of timeout protection for endpoints handling diff files requests, particularly affecting '/commit/[:sha]/difffiles' and '/mergerequests/[:id]/diffs_batch.json' endpoints. The vulnerability is classified under CWE-407 (Inefficient Algorithmic Complexity) (NVD).

The vulnerability enables attackers to make a GitLab instance unreachable to legitimate users by repeatedly sending unauthenticated requests for diff files, which are CPU-intensive operations. For a typical '1k-users GitLab EE' instance, even a low rate of malicious requests (approximately 1 RPS) can significantly impact system availability (ASEC).

GitLab has released security updates to address this vulnerability. Users are strongly advised to upgrade to the following patched versions: GitLab CE/EE version 17.4.6, 17.5.4, or 17.6.2. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).

The vulnerability was discovered and reported through GitLab's HackerOne bug bounty program by researcher a92847865. The discovery has led to increased attention to resource consumption vulnerabilities in web-based version control systems (Security Online).