CVE-2024-1963
📋 TL;DR
This CVE describes a regular expression denial of service (ReDoS) vulnerability in GitLab's Asana integration. An attacker can send specially crafted requests to cause excessive CPU consumption and service degradation. All GitLab CE/EE instances with Asana integration enabled are affected.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to CPU exhaustion, affecting all GitLab functionality until the process is restarted.
Likely Case
Performance degradation and partial service disruption for users accessing GitLab during an attack.
If Mitigated
Minimal impact with proper rate limiting, monitoring, and quick incident response.
🎯 Exploit Status
Exploitation requires sending crafted requests to the Asana integration endpoint. Attackers need knowledge of the Asana integration configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.10.7, 16.11.4, or 17.0.2
Vendor Advisory: https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-asana-integration-issue-mapping-when-webhook-is-called
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 16.10.7, 16.11.4, or 17.0.2 using your preferred method (Omnibus package, Docker, source). 3. Restart GitLab services. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Asana Integration
allTemporarily disable the Asana integration if not essential
Navigate to Admin Area > Settings > Integrations > Asana and disable
Restrict Webhook Access
allImplement network controls to restrict access to Asana integration endpoints
Configure firewall rules to limit access to GitLab's Asana webhook endpoints
🧯 If You Can't Patch
- Disable Asana integration immediately if not required
- Implement strict rate limiting and monitoring on Asana integration endpoints
🔍 How to Verify
Check if Vulnerable:
Check GitLab version and verify Asana integration is enabled. Vulnerable versions are 8.4-16.10.6, 16.11-16.11.3, 17.0-17.0.1.Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Confirm GitLab version is 16.10.7, 16.11.4, or 17.0.2 or higher.📡 Detection & Monitoring
Log Indicators:
- High CPU usage on GitLab processes
- Slow response times in Asana integration logs
- Repeated failed webhook calls with unusual patterns
Network Indicators:
- Unusual traffic patterns to Asana integration endpoints
- Multiple requests with crafted payloads
SIEM Query:
source="gitlab.log" AND ("Asana" OR "webhook") AND ("timeout" OR "slow" OR "CPU high")🔗 References
- https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-asana-integration-issue-mapping-when-webhook-is-called
- https://gitlab.com/gitlab-org/gitlab/-/issues/443577
- https://hackerone.com/reports/2376482
- https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-asana-integration-issue-mapping-when-webhook-is-called
- https://gitlab.com/gitlab-org/gitlab/-/issues/443577
- https://hackerone.com/reports/2376482
