IS researcher William Bowling made $20,000 by discovering a critical vulnerability in GitLab. The bug allowed achieving the execution of arbitrary code or stealing confidential data from the server.Bowling exposed the vulnerability in March 2020. Then the expert noticed that an attacker could get arbitrary files from the server while moving the issue from one GitLab project to another.
“The problem was due to the lack of file name validation in the UploadsRewriter function. As a result, the specialist demonstrated in his report that an attacker could exploit this problem to read arbitrary files from the server, including configuration files, tokens, and other sensitive data”, — says William Bowling.
Studying this problem further, the expert discovered that it could also lead to the remote execution of arbitrary code. The flaw applied to both local GitLab installations and gitlab.com.
GitLab engineers note that an attacker could exploit this vulnerability by simply creating his own project or group, moving issue from one project to another.
GitLab developers fixed the vulnerability a few days after receiving a message from the researcher. As mentioned above, William Bowling was paid a reward of $20,000 for this bug.
Interestingly, this is far from the first bug bounty of Bowling. In recent months, the expert has earned more than $50,000 on GitLab problems, having found several critical and serious vulnerabilities of the platform.
At the end of 2019, GitLab reported that over the past year, it paid researchers more than $500,000 as part of its reward program for vulnerabilities discovered.
GitLab is an open source DevOps lifecycle web tool that provides a code repository management system for Git with its own wiki, bug tracking system, CI/CD pipeline and other features.
Let me remind you that recently I wrote here about the information security researcher Jacob Archuleta, known on the network under the pseudonym Nullze, who found that the Tesla Model 3 interface is vulnerable to DoS attacks. Archuleta earned at least $15,000 through the Tesla bug bounty program.