CVE-2024-1947 - Vulnerability Details - OpenCVE

A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Gitlab	Gitlab

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:17.0.0::::community:::
	cpe:2.3:a:gitlab:gitlab:17.0.0::::enterprise:::

No data.

References

Link	Providers
https://gitlab.com/gitlab-org/gitlab/-/issues/443559
https://hackerone.com/reports/2380264

History

Fri, 13 Dec 2024 17:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:gitlab:gitlab:::::community:::* cpe:2.3:a:gitlab:gitlab:::::enterprise:::* cpe:2.3:a:gitlab:gitlab:17.0.0::::community::: cpe:2.3:a:gitlab:gitlab:17.0.0::::enterprise:::

Fri, 04 Oct 2024 08:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 03 Oct 2024 07:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-400

Thu, 03 Oct 2024 06:30:00 +0000

Type	Values Removed	Values Added
Title	Uncontrolled Resource Consumption in GitLab	Improper Handling of Highly Compressed Data (Data Amplification) in GitLab
Weaknesses		CWE-409

Thu, 29 Aug 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gitlab Gitlab gitlab
CPEs		cpe:2.3:a:gitlab:gitlab::::::::
Vendors & Products		Gitlab Gitlab gitlab

MITRE

Status: PUBLISHED

Assigner: GitLab

Published: 2024-05-23T11:02:21.780Z

Updated: 2024-10-03T06:23:18.622Z

Reserved: 2024-02-27T19:01:59.981Z

Link: CVE-2024-1947

Vulnrichment

Updated: 2024-08-01T18:56:22.407Z

NVD

Status : Analyzed

Published: 2024-05-23T11:15:23.817

Modified: 2024-12-13T17:14:57.493

Link: CVE-2024-1947

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1947", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2024-02-27T19:01:59.981Z", "datePublished": "2024-05-23T11:02:21.780Z", "dateUpdated": "2024-10-03T06:23:18.622Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "versions": [{"lessThan": "16.10.6", "status": "affected", "version": "13.2.4", "versionType": "semver"}, {"lessThan": "16.11.3", "status": "affected", "version": "16.11", "versionType": "semver"}, {"lessThan": "17.0.1", "status": "affected", "version": "17.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Thanks [luryus](https://hackerone.com/luryus) for reporting this vulnerability through our HackerOne bug bounty program"}], "descriptions": [{"lang": "en", "value": "A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-409", "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2024-10-03T06:23:18.622Z"}, "references": [{"name": "GitLab Issue #443559", "tags": ["issue-tracking", "permissions-required"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/443559"}, {"name": "HackerOne Bug Bounty Report #2380264", "tags": ["technical-description", "exploit", "permissions-required"], "url": "https://hackerone.com/reports/2380264"}], "solutions": [{"lang": "en", "value": "Upgrade to versions 16.10.6, 16.11.3, 17.0.1 or above."}], "title": "Improper Handling of Highly Compressed Data (Data Amplification) in GitLab"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1947", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-23T15:41:47.064897Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:00:40.082Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:56:22.407Z"}, "title": "CVE Program Container", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/443559", "name": "GitLab Issue #443559", "tags": ["issue-tracking", "permissions-required", "x_transferred"]}, {"url": "https://hackerone.com/reports/2380264", "name": "HackerOne Bug Bounty Report #2380264", "tags": ["technical-description", "exploit", "permissions-required", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/443559", "name": "GitLab Issue #443559", "tags": ["issue-tracking", "permissions-required", "x_transferred"]}, {"url": "https://hackerone.com/reports/2380264", "name": "HackerOne Bug Bounty Report #2380264", "tags": ["technical-description", "exploit", "permissions-required", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:56:22.407Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1947", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-23T15:41:47.064897Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T15:42:16.845Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Improper Handling of Highly Compressed Data (Data Amplification) in GitLab", "credits": [{"lang": "en", "type": "finder", "value": "Thanks [luryus](https://hackerone.com/luryus) for reporting this vulnerability through our HackerOne bug bounty program"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "product": "GitLab", "versions": [{"status": "affected", "version": "13.2.4", "lessThan": "16.10.6", "versionType": "semver"}, {"status": "affected", "version": "16.11", "lessThan": "16.11.3", "versionType": "semver"}, {"status": "affected", "version": "17.0", "lessThan": "17.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to versions 16.10.6, 16.11.3, 17.0.1 or above."}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/443559", "name": "GitLab Issue #443559", "tags": ["issue-tracking", "permissions-required"]}, {"url": "https://hackerone.com/reports/2380264", "name": "HackerOne Bug Bounty Report #2380264", "tags": ["technical-description", "exploit", "permissions-required"]}], "descriptions": [{"lang": "en", "value": "A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-409", "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2024-10-03T06:23:18.622Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1947", "state": "PUBLISHED", "dateUpdated": "2024-10-03T06:23:18.622Z", "dateReserved": "2024-02-27T19:01:59.981Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2024-05-23T11:02:21.780Z", "assignerShortName": "GitLab"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "59891429-A033-4D0E-85D2-95F22913E580", "versionEndExcluding": "16.10.6", "versionStartIncluding": "13.2.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "5DAF8695-E61A-4427-BFC4-CA055DB18F55", "versionEndExcluding": "16.10.6", "versionStartIncluding": "13.2.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "D2461BDD-0006-45A1-B49B-1761CC52BD04", "versionEndExcluding": "16.11.3", "versionStartIncluding": "16.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B9E351A7-5B4B-4043-8EC2-D9B58488ACE3", "versionEndExcluding": "16.11.3", "versionStartIncluding": "16.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:17.0.0:*:*:*:community:*:*:*", "matchCriteriaId": "4B294023-4020-405B-907C-F7F20DFAD3A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:17.0.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "5881525D-CFD4-43AA-9B1E-8C1221772BC3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls."}, {"lang": "es", "value": "Se descubri\u00f3 una condici\u00f3n de denegaci\u00f3n de servicio (DoS) en GitLab CE/EE que afecta a todas las versiones desde 13.2.4 anterior a 16.10.6, 16.11 anterior a 16.11.3 y 17.0 anterior a 17.0.1. Al aprovechar esta vulnerabilidad, un atacante podr\u00eda crear una condici\u00f3n DoS enviando llamadas API manipuladas."}], "id": "CVE-2024-1947", "lastModified": "2024-12-13T17:14:57.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cve@gitlab.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-23T11:15:23.817", "references": [{"source": "cve@gitlab.com", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/443559"}, {"source": "cve@gitlab.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/2380264"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/443559"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/2380264"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-409"}], "source": "cve@gitlab.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}