CVE-2023-2198 – This vulnerability allows attackers to cause de... (How to Fix)

Q: What is the severity of CVE-2023-2198?

CVE-2023-2198 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to cause denial of service (DoS) in GitLab instances by sending specially crafted payloads to the preview_markdown endpoint. It affects all GitLab Community Edition (CE) and Enterprise Edition (EE) installations within specified version ranges. The attack exploits inefficient regular expression processing to consume excessive server resources.

📋 TL;DR

This vulnerability allows attackers to cause denial of service (DoS) in GitLab instances by sending specially crafted payloads to the preview_markdown endpoint. It affects all GitLab Community Edition (CE) and Enterprise Edition (EE) installations within specified version ranges. The attack exploits inefficient regular expression processing to consume excessive server resources.

💻 Affected Systems

Products:

GitLab Community Edition
GitLab Enterprise Edition

Versions: 8.7 to 15.10.7, 15.11 to 15.11.6, 16.0 to 16.0.1

Operating Systems: All platforms running GitLab

Default Config Vulnerable: ⚠️ Yes

Notes: All installations within affected version ranges are vulnerable regardless of configuration. The preview_markdown endpoint is typically accessible to authenticated users.

📦 What is this software?

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, potentially affecting all GitLab services including repositories, CI/CD pipelines, and user authentication.

🟠

Likely Case

Degraded performance or temporary service disruption for the affected GitLab instance, requiring restart or intervention to restore normal operation.

🟢

If Mitigated

Minimal impact with proper rate limiting, WAF rules, and updated versions preventing exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but the payload construction is straightforward. Public reports and HackerOne disclosure provide technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.10.8, 15.11.7, 16.0.2

Vendor Advisory: https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2198.json

Restart Required: Yes

Instructions:

1. Backup your GitLab instance. 2. Update to GitLab 15.10.8, 15.11.7, or 16.0.2 depending on your current version track. 3. Follow GitLab upgrade documentation for your deployment method (Omnibus, Docker, Helm, etc.). 4. Restart GitLab services.

🔧 Temporary Workarounds

Rate Limiting

all

Implement rate limiting on the preview_markdown endpoint to prevent repeated exploitation attempts

Configure in GitLab application settings or via reverse proxy (nginx/apache) rules

WAF Rule

all

Add Web Application Firewall rules to block suspicious patterns targeting the preview_markdown endpoint

Add regex pattern detection rules in your WAF configuration

🧯 If You Can't Patch

Restrict access to the preview_markdown endpoint using network ACLs or authentication requirements
Implement monitoring and alerting for unusual patterns of requests to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check GitLab version via admin interface or command: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'

Check Version:

sudo gitlab-rake gitlab:env:info | grep 'GitLab version'

Verify Fix Applied:

Confirm version is 15.10.8, 15.11.7, or 16.0.2 or higher using same command

📡 Detection & Monitoring

Log Indicators:

High CPU usage on GitLab server
Multiple POST requests to /api/v4/markdown or similar preview endpoints
Slow response times from GitLab services

Network Indicators:

Unusual patterns of requests to markdown preview endpoints
Repeated similar payloads to vulnerable endpoint

SIEM Query:

source="gitlab" AND (uri_path="/api/v4/markdown" OR uri_path LIKE "%/preview%") AND status>=500

📊 Metadata

CVE ID: CVE-2023-2198

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

Published: June 7, 2023

Last Updated: January 7, 2025

🔗 References

https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2198.json Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/408273 Broken Link
https://hackerone.com/reports/1947187 Permissions Required,Third Party Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2198.json Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/408273 Broken Link
https://hackerone.com/reports/1947187 Permissions Required,Third Party Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/408273 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2198, you might also want to check these: