CVE-2023-6386
Published: 05 February 2025
Summary
CVE-2023-6386 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Gitlab Gitlab. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 13.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2023-6386 is a denial of service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). It affects all versions from 15.11 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2. The issue enables an attacker to spike the GitLab instance's resource usage, resulting in service degradation. It carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770 (Allocation of Resources Without Limits or Throttling).
An authenticated attacker with low privileges, such as a project member, can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation causes significant resource exhaustion on the GitLab instance, leading to high-impact denial of service through degraded performance or unavailability, while having no effect on confidentiality or integrity.
Mitigation requires upgrading to GitLab 16.6.7, 16.7.5, 16.8.2, or later versions, where the vulnerability is fixed. Additional details are available in the GitLab security issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/433147 and the corresponding HackerOne disclosure report at https://hackerone.com/reports/2261581.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-58626
Vulnerability details
A denial of service vulnerability was identified in GitLab CE/EE, affecting all versions from 15.11 prior to 16.6.7, 16.7 prior to 16.7.5 and 16.8 prior to 16.8.2 which allows an attacker to spike the GitLab instance resource usage resulting in…
more
service degradation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables authenticated remote resource exhaustion DoS via application exploitation (CWE-770).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-5 directly protects against denial-of-service vulnerabilities like CVE-2023-6386 by limiting the effects of resource exhaustion attacks.
SC-6 ensures resource availability by enforcing allocation limits and throttling, addressing the CWE-770 root cause of unbounded resource usage in GitLab.
SI-2 mandates timely flaw remediation through patching, directly mitigating CVE-2023-6386 by upgrading to fixed GitLab versions.