CVE CyberSecurity Database News

CVE-2024-9367 - GitLab Changelog Template Parsing DoS Vulnerability Explained

Poster -

CVE-2024-9367 is a security vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The issue affects all versions from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. Attackers can exploit this bug to cause uncontrolled CPU usage on the GitLab server when it tries to parse specially crafted templates for generating changelogs. This can lead to a Denial of Service (DoS), making the GitLab service slow or even unavailable.

Why Does It Happen?

GitLab uses templates to generate changelogs for releases. An attacker who can supply a malicious or "evil" template can trick the server into entering a CPU-intensive process that doesn’t end quickly. GitLab's backend keeps processing the template, eating up CPU cycles. In some cases, this can freeze the server or crash it under too much load.

You are affected if your GitLab version is

- CE/EE 13.9 or later < 17.4.6
- CE/EE 17.5 < 17.5.4
- CE/EE 17.6 < 17.6.2

If you haven't updated to 17.4.6, 17.5.4, or 17.6.2 or above, your instance is vulnerable.

Example: How Could This Be Exploited?

The core vulnerability sits in the way GitLab's backend parses user-supplied template content for changelogs. If a template contains heavy logic or recursive calls (like nested loops), the server might get stuck "thinking" forever.

Here's a simple example using Liquid, GitLab's templating engine. If an attacker submits a changelog template like this:

{% assign count =  %}
{% for i in (1..100000000) %}
  {% assign count = count | plus: 1 %}
{% endfor %}
Total: {{ count }}

This innocent-looking code will cause the server to spin in a loop 100 million times, eating up all available CPU.

Depending on the limits in place, variations like infinite loops can be deadly

{% assign i =  %}
{% while i < 100000000 %}
  {% assign i = i | plus: 1 %}
{% endwhile %}

*Note: Pure infinite loops can sometimes be blocked, but it’s easy for an attacker to craft something that’s “legal” but still consumes tons of resources.*

With a single GitLab user account and the ability to manage releases

1. Attacker submits a crafted template as part of release/changelog process.

Legitimate users experience slowness or complete service failure (DoS).

This is a classic resource exhaustion attack—no fancy hacking, just clever use of existing features.

Patch versions:

- 17.4.6 CE/EE
- 17.5.4 CE/EE
- 17.6.2 CE/EE

If you cannot upgrade immediately, deny access to release features for untrusted users and audit changelog templates for unapproved content.

References & Further Reading

- GitLab Advisory for CVE-2024-9367
- NVD Entry
- GitLab Release Notes
- Liquid Templating Docs

Quick Summary

CVE-2024-9367 is a dangerous bug in GitLab’s template parsing, explorable by giving it a massive or malicious templating file. Attackers can waste server CPU, leading to a service outage. Update GitLab now to stay safe!


© 2024 – This content is custom-written for this request and not copied from other online sources.

Timeline

Published on: 12/12/2024 12:15:28 UTC