Allele Security Alert
ASA-2019-00222
Identifier(s)
ASA-2019-00222, CVE-2019-10109
Title
EXIF geolocation data not stripped from uploaded images
Vendor(s)
GitLab
Product(s)
GitLab Community Edition (CE)
GitLab Enterprise Edition (EE)
Affected version(s)
Affects all previous versions of GitLab
Fixed version(s)
GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) 11.9.4
GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) 11.8.6
GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) 11.7.10
Proof of concept
Unknown
Description
Images uploaded to GitLab were not stripped of EXIF geolocation data. As a result, anyone with access to the uploaded image could obtain the its geolocation, device, and software version data, if present.
Technical details
Unknown
Credits
jack898 and rgupt
Reference(s)
GitLab Security Release: 11.9.4, 11.8.6, and 11.7.10
https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
CVE-2019-10109
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10109
CVE-2019-10109
https://nvd.nist.gov/vuln/detail/CVE-2019-10109
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: April 24, 2019