GitLab has opened a bug bounty program through the HackerOne bug bounty platform on March 23. The bug was disclosed on 27 April by William “vakzz” Bowling, a programmer. The vulnerability was defined as an arbitrary file read via the UploadsRewriter when moving and issue. According to Bowling’s report, the file or path should be validated before copying files. This was the source of the critical security issue.
A patch in GitLab version 12.9.1
GitLab Security Team has verified the issue. The GitLab security team awarded Bowling a $1,000 reward while triage took place. Johnathan Hunt, VP of Security at GitLab said,
“We’re thankful for security reporters like vakzz who responsibly disclose vulnerabilities through our bug bounty program. Once disclosed to the GitLab Security Team, this specific bug was quickly remediated and made public 30 days after the patch is released.”
Bowling said that the issue could be turned into a remote code execution (RCE) attack by using the arbitrary file read bug to grab information from the GitLab secret_key_base service. His finding has been patched in GitLab version 12.9.1. After the patch released, he was possibly awarded the rest of the sum.
Four months ago, Bowling disclosed a bug in GitLab’s Search API which allowed additional flags to be injected into the git command. He was awarded $12,000 for the critical bug report.