GitLab CE/EE Denial-of-Service Vulnerability via Unbounded Object Creation in Personal Access Token Scopes

A denial-of-service vulnerability exists in GitLab CE/EE versions 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. The vulnerability allows an attacker to disrupt GitLab's availability by creating an excessive number of symbols through the 'scopes' parameter in a Personal Access Token. This unbounded symbol creation leads to memory exhaustion, as symbols in Ruby are not garbage collected and remain in memory for the duration of the program's execution.

Impact

Exploitation of this vulnerability can cause a complete denial-of-service condition on the GitLab instance, leading to a failure of all running services.

Reproduction

The vulnerability can be reproduced by sending a POST request to the Personal Access Tokens controller with a 'scopes' parameter that includes a large number of values. This can be done using a proof-of-concept script that automates the process of sending requests and monitors the GitLab instance's status. The script can be customized to include the necessary authentication tokens and GitLab instance URL.

Remediation

Users can update to GitLab versions 17.8.2, 17.7.4, or 17.6.5 to address this vulnerability.