Currently, this vulnerability has been resolved in GitLab version 12.9.1.
GitLab awards $20,000 to researcher for remote code execution vulnerability
GitLab rewarded security researcher who reported serious remote code execution vulnerabilities on their platforms with $20,000. The vulnerability was discovered by William Bowling “vakzz”. Bowling is both a programmer and a bug bounty hunter. He disclosed the vulnerability on March 23 through the HackerOne Bug bounty platform.
Bowling said that GitLab’s UploadsRewriter function is used to copy files, and this is the source of this serious security problem. When an issue is used to copy across projects, the UploadsRewriter function checks the file name and patch. However, there is no verification check during this process, resulting in a path traversal problem, which may be used to copy any files.
According to the bug bounty hunter, if the vulnerability is exploited by an attacker, it may be used to “read arbitrary files on the server, including tokens, private data, configs, etc.” Both the GitLab instance and the GitLab.com domain are affected by this vulnerability, which was judged as a severe level by HackerOne.
Bowling added that by using any file reading vulnerability to grab information from GitLab’s secret_key_base service, the vulnerability can be turned into a remote code execution (RCE) attack. For example, if an attacker changes the secret_key_base of his instance to match the project, the cookie service can also be manipulated to trigger RCE attacks.
