ASA-2019-00222 – GitLab: EXIF geolocation data not stripped from uploaded images


Allele Security Alert

ASA-2019-00222

Identifier(s)

ASA-2019-00222, CVE-2019-10109

Title

EXIF geolocation data not stripped from uploaded images

Vendor(s)

GitLab

Product(s)

GitLab Community Edition (CE)
GitLab Enterprise Edition (EE)

Affected version(s)

Affects all previous versions of GitLab

Fixed version(s)

GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) 11.9.4
GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) 11.8.6
GitLab Community Edition (CE) and GitLab Enterprise Edition (EE) 11.7.10

Proof of concept

Unknown

Description

Images uploaded to GitLab were not stripped of EXIF geolocation data. As a result, anyone with access to the uploaded image could obtain the its geolocation, device, and software version data, if present.

Technical details

Unknown

Credits

jack898 and rgupt

Reference(s)

GitLab Security Release: 11.9.4, 11.8.6, and 11.7.10
https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/

CVE-2019-10109
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10109

CVE-2019-10109
https://nvd.nist.gov/vuln/detail/CVE-2019-10109

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: April 24, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.