ID THREATPOST:C249ACD6B53EBF0A2F149F42F6D9873D Type threatpost Reporter Lindsey O'Donnell Modified 2020-04-29T16:39:56
Description
A critical GitLab vulnerability, which could be leveraged by a remote attacker to execute code, recently netted a researcher a $20,000 bug-bounty award.
The flaw was reported to GitLab by software developer William Bowling via the HackerOne bug bounty platform on March 23. It was then disclosed this week after being patched in GitLab version 12.9.1.
At issue is a path-traversal flaw in GitLab, which started out as a web-based Git repository manager but has moved into the DevOps lifecycle-management space. A path traversal is a web security flaw that allows an attacker to read arbitrary files on the server that is running an application. For this particular flaw, the ability to read arbitrary files on the server would give attackers access to tokens, private data, configs and more.
Specifically the flaw exists in the UploadsRewriter function of GitLab, which is used to duplicate files. The UploadsRewriter does not validate the file name and path, allowing arbitrary files to be copied without restriction when moving issues to a new project.
“As there is no restriction on what file can be, path traversal can be used to copy any file,” said Bowling in his bug-bounty report. “The file or path should be validated before copying files.”
Bowling then took the flaw a step further, showcasing how it could be leveraged to launch a remote code-execution attack. Once the arbitrary file read flaw is exploited, he said, it can be used to grab the secret_key_base from the /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml service.
The secret_key_base is used to derive keys that are used to generate and verify encrypted or signed cookies. Once attackers access the secret_key_base, they could manipulate these cookie services to send cookies to the server to execute code.
GitLab verified the finding and escalated the issue to its engineering team, granting Bowling an initial $1,000 triage payment for his findings before ultimately granting the $20,000.
GitLab in December announced it had awarded a total of $565,650 in security bug bounties to 171 researchers who reported valid vulnerabilities in the past year. GitLab launched its bug-bounty program in 2018, and according to Juan Broullon, senior application security engineer at the company, it received a total of 1,378 reports from 513 white-hat hackers in that time.
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.
{"id": "THREATPOST:C249ACD6B53EBF0A2F149F42F6D9873D", "hash": "9c646d4bf521cc4291ff343b523ca411", "type": "threatpost", "bulletinFamily": "info", "title": "Critical GitLab Flaw Earns Bounty Hunter $20K", "description": "A critical GitLab vulnerability, which could be leveraged by a remote attacker to execute code, recently netted a researcher a $20,000 bug-bounty award.\n\nThe flaw was reported to GitLab by software developer [William Bowling](<https://twitter.com/wcbowling>) via the [HackerOne bug bounty platform](<https://hackerone.com/reports/827052>) on March 23. It was then disclosed this week after being patched in GitLab version 12.9.1.\n\nAt issue is a path-traversal flaw in GitLab, which started out as a web-based Git repository manager but has moved into the DevOps lifecycle-management space. A path traversal is a web security flaw that allows an attacker to read arbitrary files on the server that is running an application. For this particular flaw, the ability to read arbitrary files on the server would give attackers access to tokens, private data, configs and more.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSpecifically the flaw exists in the UploadsRewriter function of GitLab, which is used to duplicate files. The UploadsRewriter does not validate the file name and path, allowing arbitrary files to be copied without restriction when moving issues to a new project.\n\n\u201cAs there is no restriction on what file can be, path traversal can be used to copy any file,\u201d said Bowling in his bug-bounty report. \u201cThe file or path should be validated before copying files.\u201d\n\nBowling then took the flaw a step further, showcasing how it could be leveraged to launch a remote code-execution attack. Once the arbitrary file read flaw is exploited, he said, it can be used to grab the secret_key_base from the /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml service.\n\nThe secret_key_base is used to derive keys that are used to generate and verify encrypted or signed cookies. Once attackers access the secret_key_base, they could manipulate these cookie services to send cookies to the server to execute code.\n\nGitLab verified the finding and escalated the issue to its engineering team, granting Bowling an initial $1,000 triage payment for his findings before ultimately granting the $20,000.\n\nGitLab in December [announced it had awarded a total of $565,650](<https://threatpost.com/gitlab-doles-out-half-a-million-bucks-to-white-hats/151138/>) in security bug bounties to 171 researchers who reported valid vulnerabilities in the past year. GitLab launched its [bug-bounty program](<https://hackerone.com/gitlab>) in 2018, and according to Juan Broullon, senior application security engineer at the company, it received a total of 1,378 reports from 513 white-hat hackers in that time.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. [On May 13 at 2 p.m. ET](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>), join Valimail security experts and Threatpost for a FREE webinar, [5 Proven Strategies to Prevent Email Compromise](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>). Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please [register here ](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "published": "2020-04-29T16:39:56", "modified": "2020-04-29T16:39:56", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://threatpost.com/critical-gitlab-flaw-bounty-20k/155295/", "reporter": "Lindsey O'Donnell", "references": ["https://twitter.com/wcbowling", "https://hackerone.com/reports/827052", "https://threatpost.com/newsletter-sign/", "https://threatpost.com/gitlab-doles-out-half-a-million-bucks-to-white-hats/151138/", "https://hackerone.com/gitlab", "https://register.gotowebinar.com/register/5064791868226032141?source=ART", "https://register.gotowebinar.com/register/5064791868226032141?source=ART", "https://register.gotowebinar.com/register/5064791868226032141?source=ART", "https://attendee.gotowebinar.com/register/4136632530104301068?source=art"], "cvelist": [], "lastseen": "2020-05-22T21:39:39", "history": [{"bulletin": {"id": "THREATPOST:C249ACD6B53EBF0A2F149F42F6D9873D", "hash": "2f3e4c7907a9d1d461e04559587d4300", "type": "threatpost", "bulletinFamily": "info", "title": "Critical GitLab Flaw Earns Bounty Hunter $20K", "description": "A critical GitLab vulnerability, which could be leveraged by a remote attacker to execute code, recently netted a researcher a $20,000 bug-bounty award.\n\nThe flaw was reported to GitLab by software developer [William Bowling](<https://twitter.com/wcbowling>) via the [HackerOne bug bounty platform](<https://hackerone.com/reports/827052>) on March 23. It was then disclosed this week after being patched in GitLab version 12.9.1.\n\nAt issue is a path-traversal flaw in GitLab, which started out as a web-based Git repository manager but has moved into the DevOps lifecycle-management space. A path traversal is a web security flaw that allows an attacker to read arbitrary files on the server that is running an application. For this particular flaw, the ability to read arbitrary files on the server would give attackers access to tokens, private data, configs and more.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSpecifically the flaw exists in the UploadsRewriter function of GitLab, which is used to duplicate files. The UploadsRewriter does not validate the file name and path, allowing arbitrary files to be copied without restriction when moving issues to a new project.\n\n\u201cAs there is no restriction on what file can be, path traversal can be used to copy any file,\u201d said Bowling in his bug-bounty report. \u201cThe file or path should be validated before copying files.\u201d\n\nBowling then took the flaw a step further, showcasing how it could be leveraged to launch a remote code-execution attack. Once the arbitrary file read flaw is exploited, he said, it can be used to grab the secret_key_base from the /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml service.\n\nThe secret_key_base is used to derive keys that are used to generate and verify encrypted or signed cookies. Once attackers access the secret_key_base, they could manipulate these cookie services to send cookies to the server to execute code.\n\nGitLab verified the finding and escalated the issue to its engineering team, granting Bowling an initial $1,000 triage payment for his findings before ultimately granting the $20,000.\n\nGitLab in December [announced it had awarded a total of $565,650](<https://threatpost.com/gitlab-doles-out-half-a-million-bucks-to-white-hats/151138/>) in security bug bounties to 171 researchers who reported valid vulnerabilities in the past year. GitLab launched its [bug-bounty program](<https://hackerone.com/gitlab>) in 2018, and according to Juan Broullon, senior application security engineer at the company, it received a total of 1,378 reports from 513 white-hat hackers in that time.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. [On May 13 at 2 p.m. ET](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>), join Valimail security experts and Threatpost for a FREE webinar, [5 Proven Strategies to Prevent Email Compromise](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>). Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please [register here ](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)for this sponsored webinar._**\n", "published": "2020-04-29T16:39:56", "modified": "2020-04-29T16:39:56", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://threatpost.com/critical-gitlab-flaw-bounty-20k/155295/", "reporter": "Lindsey O'Donnell", "references": ["https://twitter.com/wcbowling", "https://hackerone.com/reports/827052", "https://threatpost.com/newsletter-sign/", "https://threatpost.com/gitlab-doles-out-half-a-million-bucks-to-white-hats/151138/", "https://hackerone.com/gitlab", "https://register.gotowebinar.com/register/5064791868226032141?source=ART", "https://register.gotowebinar.com/register/5064791868226032141?source=ART", "https://register.gotowebinar.com/register/5064791868226032141?source=ART"], "cvelist": [], "lastseen": "2020-04-29T16:45:08", "history": [], "viewCount": 21, "enchantments": {"dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:307F7DEC939350007D7E6EE70777D508"]}, {"type": "hackerone", "idList": ["H1:827052"]}], "modified": "2020-04-29T16:45:08", "rev": 2}, "score": {"value": 0.4, "vector": "NONE", "modified": "2020-04-29T16:45:08", "rev": 2}}, "objectVersion": "1.4"}, "lastseen": "2020-04-29T16:45:08", "differentElements": ["description", "references"], "edition": 1}, {"bulletin": {"id": "THREATPOST:C249ACD6B53EBF0A2F149F42F6D9873D", "hash": "9c646d4bf521cc4291ff343b523ca411", "type": "threatpost", "bulletinFamily": "info", "title": "Critical GitLab Flaw Earns Bounty Hunter $20K", "description": "A critical GitLab vulnerability, which could be leveraged by a remote attacker to execute code, recently netted a researcher a $20,000 bug-bounty award.\n\nThe flaw was reported to GitLab by software developer [William Bowling](<https://twitter.com/wcbowling>) via the [HackerOne bug bounty platform](<https://hackerone.com/reports/827052>) on March 23. It was then disclosed this week after being patched in GitLab version 12.9.1.\n\nAt issue is a path-traversal flaw in GitLab, which started out as a web-based Git repository manager but has moved into the DevOps lifecycle-management space. A path traversal is a web security flaw that allows an attacker to read arbitrary files on the server that is running an application. For this particular flaw, the ability to read arbitrary files on the server would give attackers access to tokens, private data, configs and more.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSpecifically the flaw exists in the UploadsRewriter function of GitLab, which is used to duplicate files. The UploadsRewriter does not validate the file name and path, allowing arbitrary files to be copied without restriction when moving issues to a new project.\n\n\u201cAs there is no restriction on what file can be, path traversal can be used to copy any file,\u201d said Bowling in his bug-bounty report. \u201cThe file or path should be validated before copying files.\u201d\n\nBowling then took the flaw a step further, showcasing how it could be leveraged to launch a remote code-execution attack. Once the arbitrary file read flaw is exploited, he said, it can be used to grab the secret_key_base from the /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml service.\n\nThe secret_key_base is used to derive keys that are used to generate and verify encrypted or signed cookies. Once attackers access the secret_key_base, they could manipulate these cookie services to send cookies to the server to execute code.\n\nGitLab verified the finding and escalated the issue to its engineering team, granting Bowling an initial $1,000 triage payment for his findings before ultimately granting the $20,000.\n\nGitLab in December [announced it had awarded a total of $565,650](<https://threatpost.com/gitlab-doles-out-half-a-million-bucks-to-white-hats/151138/>) in security bug bounties to 171 researchers who reported valid vulnerabilities in the past year. GitLab launched its [bug-bounty program](<https://hackerone.com/gitlab>) in 2018, and according to Juan Broullon, senior application security engineer at the company, it received a total of 1,378 reports from 513 white-hat hackers in that time.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. [On May 13 at 2 p.m. ET](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>), join Valimail security experts and Threatpost for a FREE webinar, [5 Proven Strategies to Prevent Email Compromise](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>). Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please [register here ](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "published": "2020-04-29T16:39:56", "modified": "2020-04-29T16:39:56", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://threatpost.com/critical-gitlab-flaw-bounty-20k/155295/", "reporter": "Lindsey O'Donnell", "references": ["https://twitter.com/wcbowling", "https://hackerone.com/reports/827052", "https://threatpost.com/newsletter-sign/", "https://threatpost.com/gitlab-doles-out-half-a-million-bucks-to-white-hats/151138/", "https://hackerone.com/gitlab", "https://register.gotowebinar.com/register/5064791868226032141?source=ART", "https://register.gotowebinar.com/register/5064791868226032141?source=ART", "https://register.gotowebinar.com/register/5064791868226032141?source=ART", "https://attendee.gotowebinar.com/register/4136632530104301068?source=art"], "cvelist": [], "lastseen": "2020-04-30T15:45:41", "history": [], "viewCount": 32, "enchantments": {"dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:307F7DEC939350007D7E6EE70777D508"]}, {"type": "hackerone", "idList": ["H1:827052"]}], "modified": "2020-04-30T15:45:41", "rev": 2}, "score": {"value": 0.3, "vector": "NONE", "modified": "2020-04-30T15:45:41", "rev": 2}}, "objectVersion": "1.4"}, "lastseen": "2020-04-30T15:45:41", "differentElements": ["cvelist", "cvss"], "edition": 2}, {"bulletin": {"id": "THREATPOST:C249ACD6B53EBF0A2F149F42F6D9873D", "hash": "f8a0d476acfff04b17056eea6472cf59", "type": "threatpost", "bulletinFamily": "info", "title": "Critical GitLab Flaw Earns Bounty Hunter $20K", "description": "A critical GitLab vulnerability, which could be leveraged by a remote attacker to execute code, recently netted a researcher a $20,000 bug-bounty award.\n\nThe flaw was reported to GitLab by software developer [William Bowling](<https://twitter.com/wcbowling>) via the [HackerOne bug bounty platform](<https://hackerone.com/reports/827052>) on March 23. It was then disclosed this week after being patched in GitLab version 12.9.1.\n\nAt issue is a path-traversal flaw in GitLab, which started out as a web-based Git repository manager but has moved into the DevOps lifecycle-management space. A path traversal is a web security flaw that allows an attacker to read arbitrary files on the server that is running an application. For this particular flaw, the ability to read arbitrary files on the server would give attackers access to tokens, private data, configs and more.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSpecifically the flaw exists in the UploadsRewriter function of GitLab, which is used to duplicate files. The UploadsRewriter does not validate the file name and path, allowing arbitrary files to be copied without restriction when moving issues to a new project.\n\n\u201cAs there is no restriction on what file can be, path traversal can be used to copy any file,\u201d said Bowling in his bug-bounty report. \u201cThe file or path should be validated before copying files.\u201d\n\nBowling then took the flaw a step further, showcasing how it could be leveraged to launch a remote code-execution attack. Once the arbitrary file read flaw is exploited, he said, it can be used to grab the secret_key_base from the /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml service.\n\nThe secret_key_base is used to derive keys that are used to generate and verify encrypted or signed cookies. Once attackers access the secret_key_base, they could manipulate these cookie services to send cookies to the server to execute code.\n\nGitLab verified the finding and escalated the issue to its engineering team, granting Bowling an initial $1,000 triage payment for his findings before ultimately granting the $20,000.\n\nGitLab in December [announced it had awarded a total of $565,650](<https://threatpost.com/gitlab-doles-out-half-a-million-bucks-to-white-hats/151138/>) in security bug bounties to 171 researchers who reported valid vulnerabilities in the past year. GitLab launched its [bug-bounty program](<https://hackerone.com/gitlab>) in 2018, and according to Juan Broullon, senior application security engineer at the company, it received a total of 1,378 reports from 513 white-hat hackers in that time.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. [On May 13 at 2 p.m. ET](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>), join Valimail security experts and Threatpost for a FREE webinar, [5 Proven Strategies to Prevent Email Compromise](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>). Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please [register here ](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "published": "2020-04-29T16:39:56", "modified": "2020-04-29T16:39:56", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://threatpost.com/critical-gitlab-flaw-bounty-20k/155295/", "reporter": "Lindsey O'Donnell", "references": ["https://twitter.com/wcbowling", "https://hackerone.com/reports/827052", "https://threatpost.com/newsletter-sign/", "https://threatpost.com/gitlab-doles-out-half-a-million-bucks-to-white-hats/151138/", "https://hackerone.com/gitlab", "https://register.gotowebinar.com/register/5064791868226032141?source=ART", "https://register.gotowebinar.com/register/5064791868226032141?source=ART", "https://register.gotowebinar.com/register/5064791868226032141?source=ART", "https://attendee.gotowebinar.com/register/4136632530104301068?source=art"], "cvelist": ["CVE-2019-18935"], "lastseen": "2020-05-08T21:43:38", "history": [], "viewCount": 32, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-18935"]}, {"type": "attackerkb", "idList": ["AKB:90DDDBF9-EA58-4470-B821-C35007A64BD6"]}, {"type": "threatpost", "idList": ["THREATPOST:EBE40A69B865E25E52FF87060EDD790F", "THREATPOST:307F7DEC939350007D7E6EE70777D508", "THREATPOST:A94AAFAF28062A447CCD0F4C47FFD78C", "THREATPOST:6A1329627DFBA3501BA187A580E968D5", "THREATPOST:855D1B9BE270C52F4F145172AE284D7C", "THREATPOST:FC124FCB1BDB55D5A63163F8F4720021", "THREATPOST:773984B62685A5874ECAE5DED4D61BFF", "THREATPOST:227406BE9B0ABFE82D16E08B600DBE74", "THREATPOST:FD8657F42A74CEDAA8D3F25A2362E6E8", "THREATPOST:AAE72D4D8A4BB090E3820ABE047B7F51", "THREATPOST:CEFF4DB144B2E463CD3FB46A8A93EEF8"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:AE2D3F648B410F57DC5F105EDA166E2B"]}, {"type": "exploitdb", "idList": ["EDB-ID:47793"]}, {"type": "zdt", "idList": ["1337DAY-ID-33683"]}, {"type": "hackerone", "idList": ["H1:838196", "H1:827052"]}, {"type": "nessus", "idList": ["TELERIK_UI_FOR_ASPNET_AJAX_CVE-2019-18935.NASL"]}], "modified": "2020-05-08T21:43:38", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2020-05-08T21:43:38", "rev": 2}}, "objectVersion": "1.4"}, "lastseen": "2020-05-08T21:43:38", "differentElements": ["cvelist", "cvss"], "edition": 3}], "viewCount": 32, "enchantments": {"dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:307F7DEC939350007D7E6EE70777D508"]}, {"type": "hackerone", "idList": ["H1:827052"]}], "modified": "2020-05-22T21:39:39", "rev": 2}, "score": {"value": 0.3, "vector": "NONE", "modified": "2020-05-22T21:39:39", "rev": 2}, "vulnersScore": 0.3}, "objectVersion": "1.4", "_object_type": "robots.models.threatpost.ThreatpostBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"]}
