GitLab awards researcher $20,000, patches remote code execution bug

Updated: Engineers jumped on the issue which earned the researcher $1,000 at the point of triage.
Written by Charlie Osborne, Contributing Writer

GitLab has awarded a cybersecurity researcher $20,000 for reporting a serious remote code execution vulnerability on the platform.

Discovered by William "vakzz" Bowling, a programmer and bug bounty hunter, the vulnerability was privately disclosed through the HackerOne bug bounty platform on March 23.

Bowling said that GitLab's UploadsRewriter function, used to copy files, was the source of the critical security issue. 

See also: This is how viewing a GIF in Microsoft Teams triggered account hijacking bug

The function should check file names and paths when issues were copied across projects. However, there were no validation checks in place, leading to a path traversal problem that could be exploited to copy any file. 

According to the bug bounty hunter, if exploited by an attacker, the vulnerability could be weaponized to "read arbitrary files on the server, including tokens, private data, [and] configs."

GitLab instances and the GitLab.com domain were affected by the vulnerability, awarded a critical rating on HackerOne. 

On the same day as disclosure, the GitLab security team decided to award Bowling a $1,000 reward while triage took place. 

As triage was underway, Bowling added that the issue could be turned into a remote code execution (RCE) attack by using the arbitrary file read bug to grab information from the GitLab secret_key_base service. If an attacker changed their own instance secret_key_base to match a project, cookie services could also be manipulated to trigger RCE. 

CNET: Coronavirus stimulus scams are here. How to identify these new online and text attacks

The vulnerability was sent to GitLab's engineering team who reproduced the problem. While the team noted that an attacker would need to be at a project member -- at a minimum -- to exploit the vulnerability, they could also simply "create their own project/group to do this," according to Heinrich Lee Yu, a  senior engineer at GitLab. 

TechRepublic: Cybersecurity professionals are being repurposed during COVID-19 pandemic

The vulnerability has now been resolved in GitLab version 12.9.1, with the researcher's full bounty awarded on March 27. The public report was released on April 27.

Four months ago, the same researcher disclosed a bug in GitLab's Search API which allowed additional flags to be injected into the git command, potentially leading to the creation of crafted keys, remote access, and code execution. GitLab acknowledged the problem and awarded Bowling $12,000 for the critical bug report. 

"We're thankful for security reporters like vakzz who responsibly disclose vulnerabilities through our bug bounty program," Johnathan Hunt, VP of Security at GitLab told ZDNet. "Once disclosed to the GitLab Security Team, this specific bug was quickly remediated and made public 30 days after the patch is released."

The biggest Internet of Things, smart home hacks of 2019

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards