CVE-2016-9469Exposed Dangerous Method or Function in Gitlab

CWE-749Exposed Dangerous Method or FunctionCWE-2646 documents6 sources
Severity
8.2HIGHNVD
EPSS
0.1%
top 66.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GitlabDebian Gitlab
Timeline
PublishedMar 28
Latest updateMay 13

Description

Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects on a GitLab instance. For GitLab instances with publicly available projects this vulnerability could be exploited by an unauthenticated user. A fix was included in versions 8.14.3, 8.13.8, and 8.12.11, which were released on December 5th 2016 at 3:59 PST. The GitLab versions vulnerable to this are 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:LExploitability: 3.9 | Impact: 4.2

Affected Packages4 packages

debiandebian/gitlab< gitlab 8.13.6+dfsg2-2 (sid)
Ubuntugitlab/gitlab< 8.5.8+dfsg-5
NVDgitlab/gitlab11 versions+10
gitlabgitlab/gitlab

Patches

Patch: about.gitlab.comPatch: gitlab.comPatch: gitlab.com

🔴Vulnerability Details

2
GHSA
GHSA-5ggg-p758-cx97: Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects2022-05-13
OSV
CVE-2016-9469: Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects2017-03-28

📋Vendor Advisories

2
GitLab
CVE-2016-9469: Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects2017-03-28
Debian
CVE-2016-9469: gitlab - Multiple versions of GitLab expose a dangerous method to any authenticated user ...2016

💬Community

1
HackerOne
State filter in IssuableFinder allows attacker to delete all issues and merge requests2016-12-06