Friday, September 18

KEY PUNCHER NEWS

GitLab awards $ 20,000 to researchers for remote code execution vulnerabilities
KEY PUNCHER NEWS

GitLab awards $ 20,000 to researchers for remote code execution vulnerabilities

GitLab rewarded security researchers who reported serious remote code execution vulnerabilities on their platform with $ 20,000. The vulnerability was discovered by William “vakzz” Bowling. Bowling was both a programmer and a bug bounty hunter. He disclosed the vulnerability privately via the HackerOne Bug bounty platform on March 23. Bowling said that GitLab's UploadsRewriter function is used to copy files, and this is the source of this serious security problem. When issue is used for cross-project copying, the UploadsRewriter function checks the file name and patch. However, because there is no verification check in this process, there is a path traversal problem, which may be used to copy any files. According to the bug bounty hunter, if the vulnerability is exploit