CVE-2023-3385

Name of the Vulnerable Software and Affected Versions GitLab versions 8.10 through 16.0.7 GitLab versions 16.1 through 16.1.2 GitLab versions 16.2 through 16.2.1

Description An issue has been discovered in GitLab where a user importing a project 'from export' could access and read unrelated files via uploading a specially crafted file under specific circumstances. This issue is due to a bug in the tar function, which has been fixed in a later version.

Recommendations For GitLab versions 8.10 through 16.0.7, update to version 16.0.8 or later. For GitLab versions 16.1 through 16.1.2, update to version 16.1.3 or later. For GitLab versions 16.2 through 16.2.1, update to version 16.2.2 or later. As a temporary workaround, consider restricting the import of projects 'from export' to minimize the risk of exploitation.