Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-2232: ReDoS in Jira prefix (#408352) · Issues · GitLab.org / GitLab · GitLab

An issue has been discovered in GitLab affecting all versions starting from 15.10 before 16.1, leading to a ReDoS vulnerability in the Jira prefix

CVE
Open in Source
#vulnerability#git#jira

Skip to content

Open Issue created Apr 21, 2023 by GitLab SecurityBot@gitlab-securitybotReporter

ReDoS in Jira prefix

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1934802 by yvvdwf on 2023-04-05, assigned to @dcouture:

Report | Attachments | How To Reproduce

Report

Hi,

Gitlab recently add a new feature that allows specifying a regex to recognize Jira issues:

###  app/models/integrations/jira.rb#L351  
    def jira_issue_match_regex  
      match_regex = (jira_issue_regex.presence || Gitlab::Regex.jira_issue_key_regex)

      /\b#{jira_issue_prefix}(?<issue>#{match_regex})/  
    end

jira_issue_prefix and jira_issue_regex are user input which can cause ReDoS attack

Steps to reproduce

This feature is available on gitlab.com but not yet on user instance, so I tested this on gitlab.com and confirm it via Gitpod:

  1. In an existing project, or create a new project, enable Jira integration:
  • fill the required inputs as you want but the two following allows ReDoS:
  • Jira issue regex: ((a|b)+|c)+$
  • Jira issue prefix: JIRA
  1. Open a new issue:
  • title: test-jira
  • Write: JIRAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa1
  • click Save changes button
  • we can see that the puma server uses 100% CPU, then restarts after 5 minutes.

Error on gitlab.com:

Impact

This ReDoS issue causes deny of service at the back-end

What is the current bug behavior?

User input is not sanitized

What is the expected correct behavior?

User input should be sanitized before using in a regex

Output of checks

This bug happens on GitLab.com

Impact

This ReDoS issue causes deny of service at the back-end

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • issue.png
  • jira-setting.png
  • 500_Error_-_GitLab.png

How To Reproduce

Please add reproducibility information to this section:

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE