{"id":"CVE-2016-9469","details":"Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects on a GitLab instance. For GitLab instances with publicly available projects this vulnerability could be exploited by an unauthenticated user. A fix was included in versions 8.14.3, 8.13.8, and 8.12.11, which were released on December 5th 2016 at 3:59 PST. The GitLab versions vulnerable to this are 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3, 8.13.3-ee, 8.13.4, 8.13.4-ee, 8.13.5, 8.13.5-ee, 8.13.6, 8.13.6-ee, 8.13.7, 8.14.0, 8.14.0-ee, 8.14.1, 8.14.2, and 8.14.2-ee.","modified":"2026-04-10T03:54:15.820061Z","published":"2017-03-28T02:59:01.247Z","references":[{"type":"FIX","url":"https://about.gitlab.com/2016/12/05/cve-2016-9469/"},{"type":"FIX","url":"https://gitlab.com/gitlab-org/gitlab-ce/commit/29ceb98b5162677601702704e89d845580372078"},{"type":"FIX","url":"https://gitlab.com/gitlab-org/gitlab-ce/commit/55196497301eea429913f9c4b1b37c42c2e358ce"},{"type":"FIX","url":"https://gitlab.com/gitlab-org/gitlab-ce/commit/f325e4e734e5e486f3b02db176eb629124052b43"},{"type":"EVIDENCE","url":"https://gitlab.com/gitlab-org/gitlab-ce/issues/25064"},{"type":"EVIDENCE","url":"https://hackerone.com/reports/186194"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.com/gitlab-org/gitlab","events":[{"introduced":"0"},{"last_affected":"294482f38388542b43b908dcb427759544a7486f"},{"introduced":"0"},{"last_affected":"294482f38388542b43b908dcb427759544a7486f"},{"introduced":"0"},{"last_affected":"3f76553a7cb877669deb10c5b0031e2aae1f7d9e"},{"introduced":"0"},{"last_affected":"3f76553a7cb877669deb10c5b0031e2aae1f7d9e"},{"introduced":"0"},{"last_affected":"507ff239d58e634e56b8012d965374702e938f60"},{"introduced":"0"},{"last_affected":"507ff239d58e634e56b8012d965374702e938f60"},{"introduced":"0"},{"last_affected":"966f6c7f5e501b6ff1af675b28bfa1d4a9d4e4d5"},{"introduced":"0"},{"last_affected":"966f6c7f5e501b6ff1af675b28bfa1d4a9d4e4d5"},{"introduced":"0"},{"last_affected":"7f1ed36b715e336174699ea696d29c88b31d2fea"},{"introduced":"0"},{"last_affected":"7f1ed36b715e336174699ea696d29c88b31d2fea"},{"introduced":"0"},{"last_affected":"94cc667f4ad84bfedf8714db7e8b4ba6acbb1f9a"},{"introduced":"0"},{"last_affected":"94cc667f4ad84bfedf8714db7e8b4ba6acbb1f9a"},{"introduced":"0"},{"last_affected":"4d6fd7481dfb1c71864bce2bffeb1b4990b1a854"},{"introduced":"0"},{"last_affected":"4d6fd7481dfb1c71864bce2bffeb1b4990b1a854"},{"introduced":"0"},{"last_affected":"bda1e862dca10dffbd31c272b01a93346e585e47"},{"introduced":"0"},{"last_affected":"bda1e862dca10dffbd31c272b01a93346e585e47"},{"introduced":"0"},{"last_affected":"4ae57e0b374bbb8e461305d8a7a68b550bdd768d"},{"introduced":"0"},{"last_affected":"4ae57e0b374bbb8e461305d8a7a68b550bdd768d"},{"introduced":"0"},{"last_affected":"ec3e70625ca648a7ba2aa11a5edbf712bbddd1e3"},{"introduced":"0"},{"last_affected":"ec3e70625ca648a7ba2aa11a5edbf712bbddd1e3"},{"introduced":"0"},{"last_affected":"b4c40a51ff743f788443bd431d76f6a765797216"},{"introduced":"0"},{"last_affected":"b4c40a51ff743f788443bd431d76f6a765797216"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"8.13.0"},{"introduced":"0"},{"last_affected":"8.13.0"},{"introduced":"0"},{"last_affected":"8.13.1"},{"introduced":"0"},{"last_affected":"8.13.1"},{"introduced":"0"},{"last_affected":"8.13.2"},{"introduced":"0"},{"last_affected":"8.13.2"},{"introduced":"0"},{"last_affected":"8.13.3"},{"introduced":"0"},{"last_affected":"8.13.3"},{"introduced":"0"},{"last_affected":"8.13.4"},{"introduced":"0"},{"last_affected":"8.13.4"},{"introduced":"0"},{"last_affected":"8.13.5"},{"introduced":"0"},{"last_affected":"8.13.5"},{"introduced":"0"},{"last_affected":"8.13.6"},{"introduced":"0"},{"last_affected":"8.13.6"},{"introduced":"0"},{"last_affected":"8.13.7"},{"introduced":"0"},{"last_affected":"8.13.7"},{"introduced":"0"},{"last_affected":"8.14.0"},{"introduced":"0"},{"last_affected":"8.14.0"},{"introduced":"0"},{"last_affected":"8.14.1"},{"introduced":"0"},{"last_affected":"8.14.1"},{"introduced":"0"},{"last_affected":"8.14.2"},{"introduced":"0"},{"last_affected":"8.14.2"}]}}],"versions":["v1.2.0","v1.2.0pre","v1.2.1","v1.2.2","v2.3.0","v2.3.0pre","v2.3.1","v2.4.0","v2.4.0pre","v2.4.1","v2.5.0","v2.6.0","v2.6.0pre","v2.6.1","v2.6.2","v2.6.3","v2.7.0","v2.7.0pre","v2.8.0","v2.8.0pre","v2.8.1","v2.8.2","v2.9.0","v2.9.1","v3.0.0","v3.0.1","v3.0.2","v3.0.3","v3.1.0","v4.0.0","v4.0.0rc1","v4.0.0rc2","v5.0.0","v5.1.0","v5.2.0","v5.3.0","v6.0.0","v6.0.0-ee","v6.0.0-ee.beta","v6.0.0-ee.rc1","v6.1.0-ee","v6.2.0","v6.3.0","v6.3.0-ee","v6.3.1-ee","v6.4.0","v6.4.0-ee","v6.4.0.pre1","v6.4.0.pre2","v6.4.0.pre3","v6.5.0","v6.5.0-ee","v6.5.0.rc1","v6.6.0","v6.6.0-ee","v6.6.0.pre1","v6.6.0.rc1","v6.7.0-ee","v6.7.0.rc1","v6.7.0.rc1-ee","v6.8.0-ee","v7.0.0","v7.0.0-ee","v7.0.0.rc1","v7.1.0","v7.1.0-ee","v7.1.0.rc1","v7.1.0.rc1-ee","v7.2.0.rc1","v7.2.0.rc1-ee","v7.2.0.rc2","v7.2.0.rc2-ee","v7.2.0.rc3","v7.2.0.rc3-ee","v7.2.0.rc4","v7.2.0.rc4-ee","v7.2.0.rc5","v7.2.0.rc5-ee","v7.3.0","v7.3.0-ee","v7.3.0.rc1","v7.3.0.rc1-ee","v8.11.0.pre","v8.13.0-ee","v8.13.0-rc1-ee","v8.13.0-rc2-ee","v8.13.0-rc3-ee","v8.13.0-rc4-ee","v8.13.0-rc5-ee","v8.13.0-rc6-ee","v8.13.0-rc7-ee","v8.13.0.pre","v8.13.1-ee","v8.13.2-ee","v8.13.3-ee","v8.13.4-ee","v8.13.5-ee","v8.13.6-ee","v8.13.7-ee","v8.14.0-ee","v8.14.0-rc1-ee","v8.14.0-rc2-ee","v8.14.0-rc4-ee","v8.14.0-rc5-ee","v8.14.0.pre","v8.14.1-ee","v8.14.2-ee"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9469.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L"}]}