Improper Preservation of Permissions in tsolucio/corebos


Reported on

Feb 27th 2022

Git repository found

Description: Git metadata directory (.git) was found in this folder. An attacker can extract sensitive information by requesting the hidden metadata directory that version control tool Git creates. The metadata directories are used for development purposes to keep track of development changes to a set of source code before it is committed back to a central repository (and vice-versa). When code is rolled to a live server from a repository, it is supposed to be done as an export rather than as a local working copy, and hence this problem.

Proof of Concept: visit the url:

[core] repositoryformatversion = 0 filemode = false bare = false logallrefupdates = true [remote "origin"] url = fetch = +refs/heads/:refs/remotes/origin/ [branch "master"] remote = origin merge = refs/heads/master

Impact GIT repository files can disclose GIT repository usernames and file lists. While disclosures of this type do not provide direct attack vectors, they can be useful for an attacker when combined with other vulnerabilities discovered within the application.


We are processing your report and will contact the tsolucio/corebos team within 24 hours. a year ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back a year ago
Joe Bordes validated this vulnerability a year ago
tharunavula has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the tsolucio/corebos team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the tsolucio/corebos team. We will try again in 10 days. a year ago
Joe Bordes marked this as fixed in 8.0 with commit f9aafe a year ago
Joe Bordes has been awarded the fix bounty
This vulnerability will not receive a CVE
FUNDING.yml#L2 has been validated
to join this conversation