VYPR
Get started
← All advisories
Medium severity6.5NVD Advisory· Published Nov 3, 2016· Updated May 6, 2026

CVE-2016-9086

CVE-2016-9086

Description

GitLab versions 8.9.x and above contain a critical security flaw in the "import/export project" feature of GitLab. Added in GitLab 8.9, this feature allows a user to export and then re-import their projects as tape archive files (tar). All GitLab versions prior to 8.13.0 restricted this feature to administrators only. Starting with version 8.13.0 this feature was made available to all users. This feature did not properly check for symbolic links in user-provided archives and therefore it was possible for an authenticated user to retrieve the contents of any file accessible to the GitLab service account. This included sensitive files such as those that contain secret tokens used by the GitLab service to authenticate users. GitLab CE and EE versions 8.13.0 through 8.13.2, 8.12.0 through 8.12.7, 8.11.0 through 8.11.10, 8.10.0 through 8.10.12, and 8.9.0 through 8.9.11 are affected.

Affected products

46
  • GitLab Inc./GitLab46 versions
    cpe:2.3:a:gitlab:gitlab:8.10.0:*:*:*:*:*:*:*+ 45 more
    • cpe:2.3:a:gitlab:gitlab:8.10.0:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.10.10:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.10.11:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.10.12:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.10.3:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.10.4:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.10.5:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.10.6:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.10.7:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.10.8:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.10.9:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.11.0:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.11.1:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.11.2:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.11.3:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.11.4:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.11.5:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.11.6:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.11.7:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.11.8:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.11.9:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.12.0:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.12.1:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.12.2:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.12.3:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.12.4:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.12.5:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.12.6:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.12.7:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.13.0:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.13.1:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.13.2:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.9.10:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.9.11:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.9.6:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.9.7:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.9.8:*:*:*:*:*:*:*
    • cpe:2.3:a:gitlab:gitlab:8.9.9:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.