{"id":"CVE-2016-9086","details":"GitLab versions 8.9.x and above contain a critical security flaw in the \"import/export project\" feature of GitLab. Added in GitLab 8.9, this feature allows a user to export and then re-import their projects as tape archive files (tar). All GitLab versions prior to 8.13.0 restricted this feature to administrators only. Starting with version 8.13.0 this feature was made available to all users. This feature did not properly check for symbolic links in user-provided archives and therefore it was possible for an authenticated user to retrieve the contents of any file accessible to the GitLab service account. This included sensitive files such as those that contain secret tokens used by the GitLab service to authenticate users. GitLab CE and EE versions 8.13.0 through 8.13.2, 8.12.0 through 8.12.7, 8.11.0 through 8.11.10, 8.10.0 through 8.10.12, and 8.9.0 through 8.9.11 are affected.","modified":"2026-04-10T03:54:03.603937Z","published":"2016-11-03T10:59:09.763Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/94136"},{"type":"FIX","url":"https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.com/gitlab-org/gitlab","events":[{"introduced":"0"},{"last_affected":"eb7f876a679dba6ae5ec739f94265f0e0f3516e8"},{"introduced":"0"},{"last_affected":"123941b0f107de57cb697d9fbbe1d86c2e1168e8"},{"introduced":"0"},{"last_affected":"0ad50159df83cd4f18680b7dc00e43ec721bf40f"},{"introduced":"0"},{"last_affected":"9b5cf5e4bdb14f9d2c32cffe5dbd3e88c24f7330"},{"introduced":"0"},{"last_affected":"ea8a665cdd0d0934d4006ce023c2b644adb49563"},{"introduced":"0"},{"last_affected":"42dceaaedf33281d8f159ae9b58d6ffed6097884"},{"introduced":"0"},{"last_affected":"a530eae2858605ac90b499ff316465e2159416d8"},{"introduced":"0"},{"last_affected":"bf04fa0dc581b1716dcda71561344458c8bbc1cf"},{"introduced":"0"},{"last_affected":"0a1679af081e41d108ef835356e702f88133c4d8"},{"introduced":"0"},{"last_affected":"a822879f16bbe32f139113da4eedc98b1d2b5805"},{"introduced":"0"},{"last_affected":"fcb6c6365ea3cedf9d2162c4ccf656bdbf63b688"},{"introduced":"0"},{"last_affected":"1d833df10cabcd64792c0a8398815bb12f6de37e"},{"introduced":"0"},{"last_affected":"4071be4ff453bc317ba65d5f4a50cab7d50869db"},{"introduced":"0"},{"last_affected":"bd696d4d797d74529f9014457f693a34512c6994"},{"introduced":"0"},{"last_affected":"15c7b91c623fc5a6631e53b3a20258a12fc85049"},{"introduced":"0"},{"last_affected":"9851edb33cfc8a7f7e26ae1562832e622fd8b280"},{"introduced":"0"},{"last_affected":"13c2a89c97e2d4d9fafdf7447ed1d1e424fd30dc"},{"introduced":"0"},{"last_affected":"3141ffd1f2b03aca36ec87dbd73a99d7f77b1911"},{"introduced":"0"},{"last_affected":"d7735ca2873c118e9ca76d3381648742d3f6dcda"},{"introduced":"0"},{"last_affected":"7099aa19c3f38eb11ce41a7a7555258fa8c2eb61"},{"introduced":"0"},{"last_affected":"c003b436ab7cef3e6c9f209aa0052b638f363c25"},{"introduced":"0"},{"last_affected":"4fe2fb2e4bfd45f3e9b210e05b71df253c9f1ea2"},{"introduced":"0"},{"last_affected":"09f628d0bce9c420ab730ca0e18c6e755ae5b0ea"},{"introduced":"0"},{"last_affected":"5887a5d8785bab3b177a538066f11a88debe2ed4"},{"introduced":"0"},{"last_affected":"6411c7800a122d625befdb6c709ea3f3e1a84060"},{"introduced":"0"},{"last_affected":"12dd0f62012c6df8bd67abc2d9c5c54bd82366f7"},{"introduced":"0"},{"last_affected":"fd8d4923f7f915ef3b3f38fdb586d6e9eb431779"},{"introduced":"0"},{"last_affected":"e21c93f86eab3cddf88b797f2de83296e37240a3"},{"introduced":"0"},{"last_affected":"bb4a9e09d06dc4b0d5ec1f671b15b8ef734d4abe"},{"introduced":"0"},{"last_affected":"2ff7bee67f428277132c4f270434427ea4fdfd5f"},{"introduced":"0"},{"last_affected":"b7548a495fbbcdda41a9b2b554fc1a090f4342c5"},{"introduced":"0"},{"last_affected":"eb98c235de0dde2ad2412d2e30f56831c4be0952"},{"introduced":"0"},{"last_affected":"8b19629570ea461bcc69e3591202f0534b9517c3"},{"introduced":"0"},{"last_affected":"bedaf8f0b4aef85f4a97a20d057e57e5864990c2"},{"introduced":"0"},{"last_affected":"77d8a0a9f7ee8ca8005de01b41f3512fef2ff862"},{"introduced":"0"},{"last_affected":"346e677ef9db2a27c3ee69d420563ecc564e5afe"},{"introduced":"0"},{"last_affected":"8a575a57eb72ef661be1a65bca010e80106aa492"},{"introduced":"0"},{"last_affected":"1bcad97b7d6f832b274aa85bb59aea7ddbc97c81"},{"introduced":"0"},{"last_affected":"54ec1a6e5261ce151dc0f9a0bcb5d882ea0b4af1"},{"introduced":"0"},{"last_affected":"c810497525e98f0894f7b54966df518e31a5417f"},{"introduced":"0"},{"last_affected":"58c5585aa0105906347613020a305816fca12929"},{"introduced":"0"},{"last_affected":"71657009e4b92f3c0e24d09a5aba99f1e187cd0e"},{"introduced":"0"},{"last_affected":"40515169fc2dea0e68cab27e97389e803013b305"},{"introduced":"0"},{"last_affected":"294482f38388542b43b908dcb427759544a7486f"},{"introduced":"0"},{"last_affected":"3f76553a7cb877669deb10c5b0031e2aae1f7d9e"},{"introduced":"0"},{"last_affected":"507ff239d58e634e56b8012d965374702e938f60"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"8.9.0"},{"introduced":"0"},{"last_affected":"8.9.1"},{"introduced":"0"},{"last_affected":"8.9.2"},{"introduced":"0"},{"last_affected":"8.9.3"},{"introduced":"0"},{"last_affected":"8.9.4"},{"introduced":"0"},{"last_affected":"8.9.5"},{"introduced":"0"},{"last_affected":"8.9.6"},{"introduced":"0"},{"last_affected":"8.9.7"},{"introduced":"0"},{"last_affected":"8.9.8"},{"introduced":"0"},{"last_affected":"8.9.9"},{"introduced":"0"},{"last_affected":"8.9.10"},{"introduced":"0"},{"last_affected":"8.9.11"},{"introduced":"0"},{"last_affected":"8.10.0"},{"introduced":"0"},{"last_affected":"8.10.1"},{"introduced":"0"},{"last_affected":"8.10.2"},{"introduced":"0"},{"last_affected":"8.10.3"},{"introduced":"0"},{"last_affected":"8.10.4"},{"introduced":"0"},{"last_affected":"8.10.5"},{"introduced":"0"},{"last_affected":"8.10.6"},{"introduced":"0"},{"last_affected":"8.10.7"},{"introduced":"0"},{"last_affected":"8.10.8"},{"introduced":"0"},{"last_affected":"8.10.9"},{"introduced":"0"},{"last_affected":"8.10.10"},{"introduced":"0"},{"last_affected":"8.10.11"},{"introduced":"0"},{"last_affected":"8.10.12"},{"introduced":"0"},{"last_affected":"8.11.0"},{"introduced":"0"},{"last_affected":"8.11.1"},{"introduced":"0"},{"last_affected":"8.11.2"},{"introduced":"0"},{"last_affected":"8.11.3"},{"introduced":"0"},{"last_affected":"8.11.4"},{"introduced":"0"},{"last_affected":"8.11.5"},{"introduced":"0"},{"last_affected":"8.11.6"},{"introduced":"0"},{"last_affected":"8.11.7"},{"introduced":"0"},{"last_affected":"8.11.8"},{"introduced":"0"},{"last_affected":"8.11.9"},{"introduced":"0"},{"last_affected":"8.12.0"},{"introduced":"0"},{"last_affected":"8.12.1"},{"introduced":"0"},{"last_affected":"8.12.2"},{"introduced":"0"},{"last_affected":"8.12.3"},{"introduced":"0"},{"last_affected":"8.12.4"},{"introduced":"0"},{"last_affected":"8.12.5"},{"introduced":"0"},{"last_affected":"8.12.6"},{"introduced":"0"},{"last_affected":"8.12.7"},{"introduced":"0"},{"last_affected":"8.13.0"},{"introduced":"0"},{"last_affected":"8.13.1"},{"introduced":"0"},{"last_affected":"8.13.2"}]}}],"versions":["v1.2.0","v1.2.0pre","v1.2.1","v1.2.2","v2.3.0","v2.3.0pre","v2.3.1","v2.4.0","v2.4.0pre","v2.4.1","v2.5.0","v2.6.0","v2.6.0pre","v2.6.1","v2.6.2","v2.6.3","v2.7.0","v2.7.0pre","v2.8.0","v2.8.0pre","v2.8.1","v2.8.2","v2.9.0","v2.9.1","v3.0.0","v3.0.1","v3.0.2","v3.0.3","v3.1.0","v4.0.0","v4.0.0rc1","v4.0.0rc2","v5.0.0","v5.1.0","v5.2.0","v5.3.0","v6.0.0","v6.0.0-ee","v6.0.0-ee.beta","v6.0.0-ee.rc1","v6.1.0-ee","v6.2.0","v6.3.0","v6.3.0-ee","v6.3.1-ee","v6.4.0","v6.4.0-ee","v6.4.0.pre1","v6.4.0.pre2","v6.4.0.pre3","v6.5.0","v6.5.0-ee","v6.5.0.rc1","v6.6.0","v6.6.0-ee","v6.6.0.pre1","v6.6.0.rc1","v6.7.0-ee","v6.7.0.rc1","v6.7.0.rc1-ee","v6.8.0-ee","v7.0.0","v7.0.0-ee","v7.0.0.rc1","v7.1.0","v7.1.0-ee","v7.1.0.rc1","v7.1.0.rc1-ee","v7.2.0.rc1","v7.2.0.rc1-ee","v7.2.0.rc2","v7.2.0.rc2-ee","v7.2.0.rc3","v7.2.0.rc3-ee","v7.2.0.rc4","v7.2.0.rc4-ee","v7.2.0.rc5","v7.2.0.rc5-ee","v7.3.0","v7.3.0-ee","v7.3.0.rc1","v7.3.0.rc1-ee","v8.10.0-ee","v8.10.0-rc1-ee","v8.10.0-rc10-ee","v8.10.0-rc11-ee","v8.10.0-rc12-ee","v8.10.0-rc13-ee","v8.10.0-rc2-ee","v8.10.0-rc3-ee","v8.10.0-rc4-ee","v8.10.0-rc5-ee","v8.10.0-rc6-ee","v8.10.0-rc7-ee","v8.10.0-rc8-ee","v8.10.0-rc9-ee","v8.10.0.pre","v8.10.1-ee","v8.10.10-ee","v8.10.11-ee","v8.10.12-ee","v8.10.2-ee","v8.10.3-ee","v8.10.4-ee","v8.10.5-ee","v8.10.6-ee","v8.10.7-ee","v8.10.8-ee","v8.10.9-ee","v8.11.0","v8.11.0-ee","v8.11.0-rc1","v8.11.0-rc1-ee","v8.11.0-rc2","v8.11.0-rc2-ee","v8.11.0-rc3","v8.11.0-rc3-ee","v8.11.0-rc4","v8.11.0-rc4-ee","v8.11.0-rc5","v8.11.0-rc5-ee","v8.11.0-rc6","v8.11.0-rc6-ee","v8.11.0-rc7","v8.11.0-rc7-ee","v8.11.0.pre","v8.11.1-ee","v8.11.2-ee","v8.11.3-ee","v8.11.4-ee","v8.11.5-ee","v8.11.6-ee","v8.11.7-ee","v8.11.8-ee","v8.11.9-ee","v8.12.0-ee","v8.12.0-rc1-ee","v8.12.0-rc2-ee","v8.12.0-rc3-ee","v8.12.0-rc4-ee","v8.12.0-rc5-ee","v8.12.0-rc6-ee","v8.12.0-rc7-ee","v8.12.0.pre","v8.12.1-ee","v8.12.2-ee","v8.12.3-ee","v8.12.4-ee","v8.12.5-ee","v8.12.6-ee","v8.12.7-ee","v8.13.0-ee","v8.13.0-rc1-ee","v8.13.0-rc2-ee","v8.13.0-rc3-ee","v8.13.0-rc4-ee","v8.13.0-rc5-ee","v8.13.0-rc6-ee","v8.13.0-rc7-ee","v8.13.0.pre","v8.13.1-ee","v8.13.2-ee","v8.9.0-ee","v8.9.0-rc1-ee","v8.9.0-rc2-ee","v8.9.0-rc3-ee","v8.9.0-rc4-ee","v8.9.0-rc5-ee","v8.9.0-rc6-ee","v8.9.0-rc7-ee","v8.9.0-rc8-ee","v8.9.1-ee","v8.9.10-ee","v8.9.11-ee","v8.9.2-ee","v8.9.3-ee","v8.9.4-ee","v8.9.5-ee","v8.9.6-ee","v8.9.7-ee","v8.9.8-ee","v8.9.9-ee"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9086.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}