Lucene search

FreeBSD10968DFD-A687-11E6-B2D3-60A44CE6887B

HistoryNov 02, 2016 - 12:00 a.m.

gitlab -- Directory traversal via "import/export" feature

2016-11-0200:00:00

vuxml.freebsd.org

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

26.2%

JSON

GitLab reports:

The import/export feature did not properly check for symbolic links
in user-provided archives and therefore it was possible for an
authenticated user to retrieve the contents of any file
accessible to the GitLab service account. This included
sensitive files such as those that contain secret tokens used
by the GitLab service to authenticate users.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchgitlab= 8.10.0UNKNOWN
FreeBSDanynoarchgitlab<= 8.10.12UNKNOWN

OS	Version	Architecture	Package	Version	Filename
FreeBSD	any	noarch	gitlab	= 8.10.0	UNKNOWN
FreeBSD	any	noarch	gitlab	<= 8.10.12	UNKNOWN

References

about.gitlab.com/2016/11/02/cve-2016-9086-patches/

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

26.2%

JSON

Related for 10968DFD-A687-11E6-B2D3-60A44CE6887B