CVE-2023-3364
📋 TL;DR
This vulnerability allows attackers to cause denial of service (DoS) in GitLab by sending specially crafted payloads to the preview_markdown endpoint. The issue affects GitLab Community Edition and Enterprise Edition installations running vulnerable versions. Attackers can exploit a regular expression processing flaw in the AutolinkFilter to consume excessive server resources.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion, potentially affecting all GitLab services including repositories, CI/CD pipelines, and user management.
Likely Case
Degraded performance or temporary service disruption affecting markdown preview functionality and potentially other services sharing resources.
If Mitigated
Minimal impact with proper rate limiting, WAF rules, and network segmentation in place.
🎯 Exploit Status
Exploitation requires sending crafted payloads to the preview_markdown endpoint. Authentication is typically required but may vary by configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.0.8, 16.1.3, or 16.2.2
Vendor Advisory: https://about.gitlab.com/releases/2023/07/05/critical-security-release-gitlab-16-2-2-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 16.0.8, 16.1.3, or 16.2.2 depending on your current version. 3. Restart GitLab services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Rate Limiting
allImplement rate limiting on the preview_markdown endpoint to prevent excessive requests.
Configure in GitLab application settings or via reverse proxy (nginx/apache) rules
WAF Rules
allAdd Web Application Firewall rules to block suspicious regex patterns in markdown preview requests.
Add custom WAF rules to detect and block ReDoS patterns
🧯 If You Can't Patch
- Restrict access to the preview_markdown endpoint using network ACLs or authentication requirements
- Monitor server resource usage and implement alerting for abnormal CPU/memory consumption patterns
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via admin interface or command line. If version is between 8.14-16.0.7, 16.1.0-16.1.2, or 16.2.0-16.2.1, the system is vulnerable.Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Confirm GitLab version is 16.0.8, 16.1.3, 16.2.2 or higher. Test markdown preview functionality works normally.📡 Detection & Monitoring
Log Indicators:
- High CPU usage patterns
- Multiple requests to /api/v4/markdown endpoint
- Slow response times for markdown preview
Network Indicators:
- Unusual volume of POST requests to markdown preview endpoints
- Requests with complex regex patterns in payload
SIEM Query:
source="gitlab" AND (uri_path="/api/v4/markdown" OR uri_path CONTAINS "preview_markdown") AND status>=500