When submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice. When using submodule paths that refer to the same file system entity (e.g. using the NTFS Alternate Data Streams attack mentioned in CVE-2019-1352 where files would be written to the `.git/` directory using a synonymous directory name), it was possible to "squat" on the `git~1` shortname on NTFS drives, opening attacks via `git~2`. This also affects Git when run as a Linux application inside the Windows Subsystem for Linux.
ASA-2019-00223 – GitLab: Group Runner Registration Token Exposure
The GitLab groups API was vulnerable to an information disclosure issue that disclosed group runner registration tokens to unauthorized users. The issue is now mitigated in the latest release and is assigned CVE-2019-11000.
ASA-2019-00222 – GitLab: EXIF geolocation data not stripped from uploaded images
Images uploaded to GitLab were not stripped of EXIF geolocation data. As a result, anyone with access to the uploaded image could obtain the its geolocation, device, and software version data, if present.
ASA-2019-00221 – GitLab: Insecure Direct Object Reference (IDOR) labels of private projects/groups
An authorization issue was discovered which allowed non-members of a private project/group to add and read labels.
ASA-2019-00220 – GitLab: PDF.js vulnerable to CVE-2018-5158
ASA-2019-00219 – GitLab: Open redirect
Within the GeoAuthController for the secondary Geo node, a redirect is triggered after successful authentication which was subject to an open redirect vulnerability.
ASA-2019-00218 – GitLab: loginState HMAC issues
The construction of the HMAC key was insecurely derived.
ASA-2019-00217 – GitLab: Information exposure through timing discrepancy
During the OAuth authentication process, the application attempts to validate a parameter in an insecure way, potentially exposing data.