Cyber Resilience

CVE-2024-2651

Medium

Published: 14 May 2024

Published
14 May 2024
Modified
12 December 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0132 80.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-2651 is a medium-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Gitlab Gitlab. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 19.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.7, all versions starting from 16.10 before 16.10.5, and all versions starting from 16.11 before 16.11.2. The vulnerability permits an attacker to trigger a denial of service through specially crafted markdown content and carries a CVSS 3.1 score of 6.5 with a high impact on availability.

An authenticated user with low privileges can submit the malicious markdown over the network, causing the application to become unavailable without requiring user interaction or elevated access. The weakness is tracked under CWE-1333.

Public advisories and the associated GitLab and HackerOne reports direct administrators to apply the fixed releases 16.9.7, 16.10.5, or 16.11.2. The EPSS score rose from a low baseline to a peak of 0.0761 before receding, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. It was possible for an attacker to cause a denial of service using…

more

maliciously crafted markdown content.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gitlab
gitlab
≤ 16.9.7 · ≤ 16.9.7 · 16.10.0 — 16.10.5

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References