CVE-2016-9086 — Sensitive Information Exposure in Gitlab

CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

13.5%

top 5.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Gitlab Gitlab Gitlab CE

Timeline

PublishedNov 3

Latest updateMay 17

Description

GitLab versions 8.9.x and above contain a critical security flaw in the "import/export project" feature of GitLab. Added in GitLab 8.9, this feature allows a user to export and then re-import their projects as tape archive files (tar). All GitLab versions prior to 8.13.0 restricted this feature to administrators only. Starting with version 8.13.0 this feature was made available to all users. This feature did not properly check for symbolic links in user-provided archives and therefore it was pos…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/gitlab< gitlab 8.13.3+dfsg1-2 (sid)

▶NVDgitlab/gitlab46 versions+45

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

Patches

Patch: about.gitlab.com ↗Patch: about.gitlab.com ↗

🔴Vulnerability Details

GHSA

GHSA-8r73-cjhp-chc2: GitLab versions 8↗2022-05-17

▶

📋Vendor Advisories

GitLab

CVE-2016-9086: GitLab versions 8.9.x and above contain a critical security flaw in the "import/export project" feature of GitLab. Added in GitLab 8.9, this feature a↗2016-11-03

▶

Debian

CVE-2016-9086: gitlab - GitLab versions 8.9.x and above contain a critical security flaw in the "import/...↗2016

▶