$20,000 RCE in GitLab via 0day in exiftool metadata processing library CVE-2021-22204
https://mailing.bugbountyexplained.com/6
? Get $100 in credits for Digital Ocean ?
https://m.do.co/c/cc700f81d215
This video is an explanation of bug bounty report submitted to GitLab by William Bowling. The vulnerability was a remote code execution by a malicious image metadata. The bug existed in exiftool library and was assigned CVE-2021-22204.
Report:
https://hackerone.com/reports/1154542
https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html
Reporter’s twitter:
https://twitter.com/wcbowling
Follow me on twitter:
https://twitter.com/gregxsunday
Timestamps:
00:00 Intro
00:54 What is metadata?
02:41 How exiftool handled “
06:16 The exploit
Add comment