CVE-2019-19313

Vulnerability

GitLab EE versions 12.3 through 12.5, including 12.4.3 and 12.3.6, are vulnerable to a denial-of-service (DoS) condition in the Issue and Commit comments pages [1]. The bug is triggered by inserting a character with a Unicode code point higher than 0x65533 inside a Markdown link. This causes the server to return HTTP 500 errors when loading discussions, making it impossible to create, edit, or view issues and commits.

Exploitation

An attacker with permission to post comments on a project's issue or commit page can exploit this vulnerability [1]. The attacker crafts a comment containing a Markdown link with a character above U+65533 (e.g., using the provided exploit file). Once the comment is posted, any subsequent request to load the discussions (e.g., discussions.json) fails with a 500 error. This affects not only the issue page but also the Activity page and RSS feed. The attacker does not need any special privileges beyond the ability to comment.

Impact

Successful exploitation results in a denial of service for all users of the affected project [1]. The issue or commit comments become unreadable, and no user can create, edit, or delete comments on that page. The impact is persistent until the malicious comment is removed by an administrator or the server is patched.

Mitigation

GitLab has addressed this vulnerability in a subsequent release [1]. Users should upgrade to GitLab EE version 12.5.1 or later. If upgrading is not immediately possible, administrators can manually remove the malicious comment from the database. No workaround is available within the application itself.