CVE-2024-2800

Name of the Vulnerable Software and Affected Versions GitLab EE/CE versions 11.3 through 17.0.5 GitLab EE/CE versions 17.1 through 17.1.3 GitLab EE/CE versions 17.2 through 17.2.1

Description The issue is related to a ReDoS flaw in the RefMatcher component when matching branch names using wildcards, allowing denial of service via Regex backtracking. This can be exploited by a remote attacker to cause a denial of service. The flaw is associated with uncontrolled resource consumption due to incorrect matching of branch names with wildcards.

Recommendations For versions 11.3 through 17.0.5, update to version 17.0.6 or later. For versions 17.1 through 17.1.3, update to version 17.1.4 or later. For versions 17.2 through 17.2.1, update to version 17.2.2 or later. As a temporary workaround, consider restricting the use of wildcards in branch names to minimize the risk of exploitation.