CVE-2024-1495 – This CVE describes a denial-of-service vulnerab... (How to Fix)

Q: What is the severity of CVE-2024-1495?

CVE-2024-1495 has a CVSS score of 6.5 (MEDIUM). This CVE describes a denial-of-service vulnerability in GitLab CE/EE where an attacker can craft malicious files to trigger a ReDoS (Regular Expression Denial of Service) attack in the Go module dependency linker. This affects all GitLab instances running vulnerable versions, potentially causing service unavailability.

📋 TL;DR

This CVE describes a denial-of-service vulnerability in GitLab CE/EE where an attacker can craft malicious files to trigger a ReDoS (Regular Expression Denial of Service) attack in the Go module dependency linker. This affects all GitLab instances running vulnerable versions, potentially causing service unavailability.

💻 Affected Systems

Products:

GitLab Community Edition (CE)
GitLab Enterprise Edition (EE)

Versions: All versions from 13.1 to 16.10.6, 16.11 to 16.11.3, and 17.0 to 17.0.1

Operating Systems: All supported platforms (Linux, Kubernetes, Docker, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments with Go module dependency scanning enabled. Self-managed and GitLab.com SaaS instances are affected.

📦 What is this software?

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, affecting all users and potentially disrupting CI/CD pipelines and development workflows.

🟠

Likely Case

Temporary service degradation or unavailability for specific endpoints handling Go module dependencies, requiring restart of affected GitLab components.

🟢

If Mitigated

Minimal impact with proper rate limiting, monitoring, and quick detection of anomalous patterns in dependency processing.

🌐 Internet-Facing: HIGH - GitLab instances exposed to the internet are directly accessible to attackers who can craft and submit malicious files.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but attack surface is more limited than internet-facing instances.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to upload or submit files to GitLab (typically authenticated access). The vulnerability is in the Go module dependency parsing logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.10.7, 16.11.4, or 17.0.2

Vendor Advisory: https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-gomod-dependency-linker

Restart Required: Yes

Instructions:

1. Backup your GitLab instance. 2. Update to GitLab 16.10.7, 16.11.4, or 17.0.2 depending on your current version track. 3. Follow GitLab upgrade documentation for your deployment method (Omnibus, Helm, source). 4. Restart GitLab services.

🔧 Temporary Workarounds

Disable Go module dependency scanning

all

Temporarily disable Go module dependency scanning to prevent exploitation while patching

Edit GitLab configuration to set 'go_modules_enabled: false' in dependency scanning settings

Implement rate limiting

all

Add rate limiting to API endpoints handling file uploads and dependency scanning

Configure GitLab rate limiting via application settings or reverse proxy

🧯 If You Can't Patch

Implement strict access controls to limit who can upload files or trigger dependency scanning
Monitor system resources and logs for unusual patterns in Go module processing

🔍 How to Verify

Check if Vulnerable:

Check GitLab version via admin interface or run: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'

Check Version:

sudo gitlab-rake gitlab:env:info | grep 'GitLab version'

Verify Fix Applied:

Confirm version is 16.10.7, 16.11.4, or 17.0.2 or higher. Test Go module dependency scanning functionality.

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for Go module dependencies
High CPU usage by GitLab processes handling dependency scanning
Error logs related to regex timeouts or resource exhaustion

Network Indicators:

Multiple requests to dependency scanning endpoints from single source
Large file uploads followed by immediate dependency scan requests

SIEM Query:

source="gitlab.logs" AND ("go.mod" OR "dependency scanning") AND (duration>30s OR error="timeout")

📊 Metadata

CVE ID: CVE-2024-1495

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

Published: June 12, 2024

Last Updated: November 21, 2024

🔗 References

https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-gomod-dependency-linker Release Notes,Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/441807 Vendor Advisory
https://hackerone.com/reports/2359528 Third Party Advisory
https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-gomod-dependency-linker Release Notes,Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/441807 Vendor Advisory
https://hackerone.com/reports/2359528 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1495, you might also want to check these: