Allele Security Alert
EXIF geolocation data not stripped from uploaded images
GitLab Community Edition (CE)
GitLab Enterprise Edition (EE)
Affects all previous versions of GitLab
GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) 11.9.4
GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) 11.8.6
GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) 11.7.10
Proof of concept
Images uploaded to GitLab were not stripped of EXIF geolocation data. As a result, anyone with access to the uploaded image could obtain the its geolocation, device, and software version data, if present.
jack898 and rgupt
GitLab Security Release: 11.9.4, 11.8.6, and 11.7.10
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: April 24, 2019