Regular Expression Vulnerability in GitLab EE Affecting Multiple Versions
CVE-2020-13349

4.3MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab Ee
Vendor: CVE Published:; 17 November 2020

Summary

A vulnerability exists in GitLab EE where the Advanced Search feature is prone to catastrophic backtracking due to an inefficient regular expression related to file paths. This affects GitLab versions starting from 8.12, with specific ranges identified that are susceptible to exploitation. Attackers could potentially leverage this flaw to degrade performance or cause denial of service, especially when processing complex search queries.

Affected Version(s)

GitLab EE >=8.12 >= 8.12

GitLab EE <13.3.9 < 13.3.9

GitLab EE >=13.4 >= 13.4

References

https://gitlab.com/gitlab-org/gitlab/-/issues/257497

x_refsource_MISC

https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 17, 2020
Vulnerability Reserved
May 21, 2020

Credit

This vulnerability has been discovered internally by the GitLab team