CVE-2023-3424
📋 TL;DR
This vulnerability allows attackers to cause a Denial of Service (DoS) in GitLab by sending specially crafted payloads to the preview_markdown endpoint. The issue affects all GitLab Community Edition and Enterprise Edition instances running vulnerable versions. Attackers can exploit this to make GitLab unresponsive by consuming excessive CPU resources through regular expression processing.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption making GitLab unavailable for all users, potentially requiring manual intervention to restart services.
Likely Case
Degraded performance or temporary unavailability of the GitLab instance, affecting developer workflows and CI/CD pipelines.
If Mitigated
Minimal impact with proper rate limiting, network segmentation, and updated versions.
🎯 Exploit Status
Exploitation requires sending crafted payloads to the preview_markdown endpoint which is typically accessible without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.11.10, 16.0.6, 16.1.1
Vendor Advisory: https://about.gitlab.com/releases/2023/06/22/critical-security-release-gitlab-16-1-1-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 15.11.10, 16.0.6, or 16.1.1 depending on your current version. 3. Restart GitLab services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Rate Limit preview_markdown Endpoint
linuxImplement rate limiting on the /api/v4/markdown endpoint to prevent abuse.
# Configure in GitLab configuration file (gitlab.rb)
nginx['custom_gitlab_server_config'] = "location ~ ^/api/v4/markdown {\n limit_req zone=gitlab_api burst=5 nodelay;\n}"
Web Application Firewall Rule
allBlock or rate limit requests to the preview_markdown endpoint using WAF rules.
🧯 If You Can't Patch
- Implement strict network access controls to limit access to the preview_markdown endpoint.
- Monitor system resources and set up alerts for abnormal CPU usage patterns.
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via admin panel or run: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Verify version is 15.11.10, 16.0.6, or 16.1.1 or higher, and test the preview_markdown endpoint with normal payloads.📡 Detection & Monitoring
Log Indicators:
- High CPU usage spikes
- Multiple requests to /api/v4/markdown endpoint
- Timeout errors in GitLab logs
Network Indicators:
- Unusual volume of POST requests to preview_markdown endpoint
- Requests with crafted markdown payloads
SIEM Query:
source="gitlab" AND (url_path="/api/v4/markdown" OR endpoint="preview_markdown") AND status>=500