ASA-2019-00217 – GitLab: Information exposure through timing discrepancy


Allele Security Alert

ASA-2019-00217

Identifier(s)

ASA-2019-00217,  CVE-2019-10114

Title

Information exposure through timing discrepancy

Vendor(s)

GitLab

Product(s)

GitLab Community Edition (CE)
GitLab Enterprise Edition (EE)

Affected version(s)

GitLab CE/EE 11.9 and later

Fixed version(s)

GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) 11.9.4
GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) 11.8.6
GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) 11.7.10

Proof of concept

unknown

Description

During the OAuth authentication process, the application attempts to validate a parameter in an insecure way, potentially exposing data.

Technical details

unknown

Credits

Recurity

Reference(s)

GitLab Security Release: 11.9.4, 11.8.6, and 11.7.10
https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/

CVE-2019-10114
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10114

CVE-2019-10114
https://nvd.nist.gov/vuln/detail/CVE-2019-10114

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: April 23, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.