CVE-2019-14924

Name of the Vulnerable Software and Affected Versions GCDWebServer versions prior to 3.5.3

Description An issue in the GCDWebUploader class allows an adversary to make an inaccessible file available by leveraging the fact that the moveItem method checks the FileExtension of newAbsolutePath but not oldAbsolutePath. This could potentially expose sensitive information, such as app credentials.

Recommendations For versions prior to 3.5.3, update to version 3.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the moveItem method in the GCDWebUploader class until a patch is available.