Thursday, November 3, 2016

Critical Security Release for GitLab (CVE-2016-9086)

The Gitlab project released a new update that contains an important security fix for a critical directory traversal vulnerability, and we strongly recommend that all GitLab installations be upgraded to the new version immediately.

We released new versions of Bitnami Gitlab 8.13.3 installers, virtual machines and cloud images that fix the security issue.

Directory traversal via "import/export" feature: CVE-2016-9086

Added in GitLab 8.9, the "import/export project" feature of GitLab allows a user to export and then re-import their projects as tape archive files (tar). All GitLab versions prior to 8.13.0 restricted this feature to administrators only. Starting with version 8.13.0 this feature was made available to all users.

More information about the issue can be found in the official blog post.


If you're unable to upgrade right away, you can secure your GitLab installation against this vulnerability using the workaround outlined below until you have time to upgrade.

Disable Project Import/Export via Tape Archive

Login using an administrator account to your GitLab installation and perform the following:

- Choose "Admin Area"
- Click "Settings"
- Under "Import Sources" disable the "GitLab export" option
- Click Save

Verifying the workaround

- In a Browser Window, login as any user
- Click "Projects"
- Click "New Project"
- Enter a project name
- Verify that "GitLab export" does not appear as an import option

Do you have questions about Bitnami Gitlab or the security issue? Please post to our community forum, and we will be happy to help you.