CVE-2023-4912

LOW

GitLab 10.5-16.4.2, 16.5-16.5.2, 16.6 - Client-Side Denial of Service via Malicious Mermaid Diagram Input

Title source: llm
STIX 2.1

Description

An issue has been discovered in GitLab EE affecting all versions starting from 10.5 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted mermaid diagram input.

References (2)

Core 2
Core References
Broken Link, Vendor Advisory issue-tracking permissions-required
https://gitlab.com/gitlab-org/gitlab/-/issues/424882
Permissions Required, Third Party Advisory technical-description exploit permissions-required
https://hackerone.com/reports/2137421

Scores

CVSS v3 2.6
EPSS 0.0006
EPSS Percentile 18.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L

Details

CWE
CWE-770
Status published
Products (5)
gitlab/gitlab 16.6.0
GitLab/GitLab 10.5 - 16.4.3
gitlab/gitlab 10.5.0 - 16.4.3
GitLab/GitLab 16.5 - 16.5.3
GitLab/GitLab 16.6 - 16.6.1
Published Dec 01, 2023
Tracked Since Feb 18, 2026