GitLab is vulnerable to CVE-2019-5419, a DoS vulnerability in actionview
HackerOne report #509414 by
xanbanx on 2019-03-13, assigned to
this time it is a vulnerability in rails. GitLabis currently using rails 184.108.40.206, which is vulnerable to [CVE-2019-5419] (https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI), a denial of service vulnerability in action view.
As described in the vulnerability disclosure:
Specially crafted accept headers can cause the Action View template location code to consume 100% CPU, causing the server unable to process requests. This impacts all Rails applications that render views.
GitLab is currently using one of the affected rails versions ( 220.127.116.11).
Steps to mitigate
Update to rails 18.104.22.168
An attacker can perform a denial of service attack on GitLab servers and on gitlab.com