Vulnerability in GitLab Allows Unauthorized Deletion of Issues and Merge Requests
CVE-2016-9469

8.2HIGH

Key Information:

Vendor
Gitlab
Status
Gitlab Community Edition & Gitlab Enterprise Edition 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3, 8.13.3-ee, 8.13.4, 8.13.4-ee, 8.13.5, 8.13.5-ee, 8.13.6, 8.13.6-ee, 8.13.7, 8.14.0, 8.14.0-ee, 8.14.1
Vendor
CVE Published:
28 March 2017

Summary

Multiple versions of GitLab have a vulnerability that permits authenticated users, and potentially unauthenticated users on publicly available projects, to delete all Issue and MergeRequest objects. This flaw poses significant risks to the integrity of GitLab projects. Affected versions of GitLab include those up to 8.14.2. Key updates addressing this issue were released on December 5, 2016, and users are urged to update to specified patched versions.

Affected Version(s)

GitLab Community Edition & GitLab Enterprise Edition 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3, 8.13.3-ee, 8.13.4, 8.13.4-ee, 8.13.5, 8.13.5-ee, 8.13.6, 8.13.6-ee, 8.13.7, 8.14.0, 8.14.0-ee, 8.14.1 GitLab Community Edition & GitLab Enterprise Edition 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3, 8.13.3-ee, 8.13.4, 8.13.4-ee, 8.13.5, 8.13.5-ee, 8.13.6, 8.13.6-ee, 8.13.7, 8.14.0, 8.14.0-ee, 8.14.1

References

https://gitlab.com/gitlab-org/gitlab-ce/commit/f325e4e734...
x_refsource_MISC
https://gitlab.com/gitlab-org/gitlab-ce/commit/5519649730...
x_refsource_MISC
https://about.gitlab.com/2016/12/05/cve-2016-9469/
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.