CVE-2024-2878

CVE-2024-2878 is a denial-of-service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions starting from 15.7 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. The issue allows an attacker to trigger excessive resource consumption by crafting unusual search terms for branch names, classified under CWE-770 (Allocation of Resources Without Limits or Throttling). It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its network accessibility and lack of required privileges.

An unauthenticated attacker (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By submitting specially crafted search queries for branch names, the attacker causes GitLab to allocate excessive resources, leading to a denial of service (A:H) that disrupts service availability without impacting confidentiality or integrity.

GitLab addressed the vulnerability in patch releases, including version 16.11.2, as detailed in the release notes. Administrators should upgrade to GitLab 16.9.7 or later, 16.10.5 or later, or 16.11.2 or later to mitigate the issue. Further details are available in the GitLab issue tracker (https://gitlab.com/gitlab-org/gitlab/-/issues/451918) and the associated HackerOne report (https://hackerone.com/reports/2416356).