After a file’s contents have been deciphered, the vulnerability enables hackers to attack on two vectors.

Firstly, the GitLab security vulnerability allows attackers to read any repository by giving them access to GitLab shell tokens, which are used by the service to authenticate users.

Secondly, attackers can trigger a remote code execution, as the bug allows cookies to be marshaled and then resigned.

Vulnerability Information

The GitLab security vulnerability has been assigned CVE-2016-9086.

The vulnerability has a Medium 6.5 CVSS score, meaning this bug is something to be remediated promptly.

This is because the attacker can gain a considerable amount of confidential and vital data, using a pretty simple method of attack.

Affected Versions, and What You Can Do About It

Affected versions are as follows:

8.13.0 - 8.13.2

8.12.0 – 8.12.7

8.11.0 – 8.11.9

8.10.0 - 8.10.12

8.9.0 - 8.9.11

Patches for versions 8.10.0 and later can be found here.

If you’re running earlier versions on your servers, and you can’t upgrade to a newer version, I’m sorry to say that you won’t be receiving a patch. However, you can secure your system by disabling the buggy feature (Project Import/Export) via this workaround.

Having Your Finger on the Pulse

This critical GitLab security vulnerability is another reminder of the importance of keeping up-to-date with version updates and fixes.

If you’re looking for an open source management solution which provides you with all patches, fixes as well other remediation suggestions, without your team having to do any of the legwork, why not check out what WhiteSource can offer your organization.