Developers with GitLab this week fixed a critical vulnerability in the open source repository management software that could have led to command execution and allowed an authenticated user to gain access to sensitive application files, tokens, or secrets. HackerOne cofounder Jobert Abma unearthed the vulnerability last week and reported it to the company through GitLab’s bug bounty program. GitLab addressed the issue (CVE-2016-9086) when it rolled out version 8.13.3 of the software late Wednesday.
The company first informed users of the impending fix on Monday through its security newsletter and a post on its blog. GitLab, which also fixed the vulnerability in similar builds 8.12.8, 8.11.10, and 8.10.13 for GitLab Community Edition (CE) and Enterprise Edition (EE), is encouraging all users running an affected version to upgrade immediately.