Denial of Service Vulnerability in GitLab CE/EE Products
CVE-2024-8237

7.5HIGH

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 26 November 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

CVE-2024-8237 is a critical Denial of Service (DoS) vulnerability identified in GitLab Community Edition (CE) and Enterprise Edition (EE). This issue affects all versions prior to 12.6 and includes specific versions 17.4.5, 17.5.3, and 17.6.1. Attackers can exploit this vulnerability by sending a maliciously crafted cargo.toml file, leading to service disruptions. Organizations utilizing affected versions are urged to update immediately to reduce the risk of potential exploitation.

Affected Version(s)

GitLab 12.6 < 17.4.5

GitLab 17.5 < 17.5.3

GitLab 17.6 < 17.6.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-8237 - Proof of Concept

References

https://gitlab.com/gitlab-org/gitlab/-/issues/480900

issue-trackingpermissions-required

https://hackerone.com/reports/2648665

technical-descriptionexploitpermissions-required

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Nov 26, 2024
👾
Exploit known to exist
Nov 26, 2024
Vulnerability published
Nov 26, 2024
Vulnerability Reserved
Aug 27, 2024

Credit

Thanks [l33thaxor](https://hackerone.com/l33thaxor) for reporting this vulnerability through our HackerOne bug bounty program