CVE-2023-6386

CVE-2023-6386 is a denial of service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). It affects all versions from 15.11 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2. The issue enables an attacker to spike the GitLab instance's resource usage, resulting in service degradation. It carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770 (Allocation of Resources Without Limits or Throttling).

An authenticated attacker with low privileges, such as a project member, can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation causes significant resource exhaustion on the GitLab instance, leading to high-impact denial of service through degraded performance or unavailability, while having no effect on confidentiality or integrity.

Mitigation requires upgrading to GitLab 16.6.7, 16.7.5, 16.8.2, or later versions, where the vulnerability is fixed. Additional details are available in the GitLab security issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/433147 and the corresponding HackerOne disclosure report at https://hackerone.com/reports/2261581.