CVE-2016-9086

Name of the Vulnerable Software and Affected Versions GitLab versions 8.9.0 through 8.13.2

Description The issue is related to the "import/export project" feature in GitLab, which was introduced in version 8.9 and allows users to export and re-import projects as tape archive files. This feature did not properly check for symbolic links in user-provided archives, making it possible for an authenticated user to retrieve the contents of any file accessible to the GitLab service account, including sensitive files with secret tokens used for user authentication.

Recommendations For GitLab CE and EE versions 8.13.0 through 8.13.2, update to a version outside of this range to fix the issue. For GitLab CE and EE versions 8.12.0 through 8.12.7, update to a version outside of this range to fix the issue. For GitLab CE and EE versions 8.11.0 through 8.11.10, update to a version outside of this range to fix the issue. For GitLab CE and EE versions 8.10.0 through 8.10.12, update to a version outside of this range to fix the issue. For GitLab CE and EE versions 8.9.0 through 8.9.11, update to a version outside of this range to fix the issue.