CVE-2024-2651
Published: 14 May 2024
Summary
CVE-2024-2651 is a medium-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Gitlab Gitlab. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 19.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.7, all versions starting from 16.10 before 16.10.5, and all versions starting from 16.11 before 16.11.2. The vulnerability permits an attacker to trigger a denial of service through specially crafted markdown content and carries a CVSS 3.1 score of 6.5 with a high impact on availability.
An authenticated user with low privileges can submit the malicious markdown over the network, causing the application to become unavailable without requiring user interaction or elevated access. The weakness is tracked under CWE-1333.
Public advisories and the associated GitLab and HackerOne reports direct administrators to apply the fixed releases 16.9.7, 16.10.5, or 16.11.2. The EPSS score rose from a low baseline to a peak of 0.0761 before receding, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-27600
Vulnerability details
An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. It was possible for an attacker to cause a denial of service using…
more
maliciously crafted markdown content.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.