GitLab is vulnerable to CVE-2019-5419, a DoS vulnerability in actionview
HackerOne report #509414 by xanbanx
on 2019-03-13, assigned to dappelt
:
Hi,
this time it is a vulnerability in rails. GitLabis currently using rails 5.0.7.1, which is vulnerable to [CVE-2019-5419] (https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI), a denial of service vulnerability in action view.
As described in the vulnerability disclosure:
Specially crafted accept headers can cause the Action View template location
code to consume 100% CPU, causing the server unable to process requests. This
impacts all Rails applications that render views.
GitLab is currently using one of the affected rails versions ( 5.0.7.2).
Steps to mitigate
Update to rails 5.0.7.2
Impact
An attacker can perform a denial of service attack on GitLab servers and on gitlab.com
Edited by GitLab SecurityBot