{"id":"CVE-2024-1963","summary":"Uncontrolled Resource Consumption in GitLab","details":"An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.","aliases":["BIT-gitlab-2024-1963"],"modified":"2026-04-02T09:57:07.123245Z","published":"2024-06-12T23:02:11.841Z","database_specific":{"cwe_ids":["CWE-1333"],"cna_assigner":"GitLab","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/1xxx/CVE-2024-1963.json"},"references":[{"type":"WEB","url":"https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-asana-integration-issue-mapping-when-webhook-is-called"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/1xxx/CVE-2024-1963.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1963"},{"type":"REPORT","url":"https://gitlab.com/gitlab-org/gitlab/-/issues/443577"},{"type":"REPORT","url":"https://hackerone.com/reports/2376482"},{"type":"PACKAGE","url":"git://git@gitlab.com:gitlab-org/gitlab.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.com/gitlab-org/gitlab","events":[{"introduced":"5b5777b8cf3328d27ef549c31f70993da1d1b267"},{"fixed":"9ec4d64efe3c4c92cc03112b5b3e150829196b06"}],"database_specific":{"versions":[{"introduced":"8.4"},{"fixed":"16.10.7"}]}},{"type":"GIT","repo":"https://gitlab.com/gitlab-org/gitlab","events":[{"introduced":"22834294718a25956b0a859c8eed72248300eeee"},{"fixed":"357ddf12ef8c2b807724bf694a6e2f93030ead4b"}],"database_specific":{"versions":[{"introduced":"16.11"},{"fixed":"16.11.4"}]}},{"type":"GIT","repo":"https://gitlab.com/gitlab-org/gitlab","events":[{"introduced":"8c75d0bf4a4190d94326f1a854d0a102ceca4392"},{"fixed":"23b707e976d91b0e43abb14493c7782e8ff79187"}],"database_specific":{"versions":[{"introduced":"17.0"},{"fixed":"17.0.2"}]}}],"versions":["v16.11.0-ee","v16.11.1-ee","v16.11.2-ee","v16.11.3-ee","v16.11.3-rc42-ee","v17.0.0-ee","v17.0.1-ee","v17.0.1-rc42-ee","v8.4.0-ee","v8.4.1-ee","v8.4.10-ee","v8.4.11-ee","v8.4.2-ee","v8.4.3-ee","v8.4.4-ee","v8.4.5-ee","v8.4.6-ee","v8.4.7-ee","v8.4.8-ee","v8.4.9-ee"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-1963.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}