Ubuthathaka besibini obubalulekileyo bubhengezwe kwi-GitLab ngaphantsi kweveki

Darkcrizt

Imizuzu ye4

IGitlab

UGitlab unengxaki yokhuseleko lwesibini kwisithuba esingaphantsi kweveki

Ngaphantsi kweveki Abaphuhlisi beGitlab kuye kwafuneka behle baye emsebenzini, Ewe, kwiintsuku ezimbalwa ezidlulileyo uhlaziyo oluchanekileyo lwe-GitLab Collaborative Development Platform 15.3.1, 15.2.3 kunye ne-15.1.5 zakhululwa, ezisombulule ubuthathaka obubalulekileyo.

zidweliswe ngaphantsi CVE-2022-2884, obu buthathaka bunokuvumela umsebenzisi oqinisekisiweyo ukufikelela kwiGitHub Import API sebenzisa ikhowudi kwiseva. Akukho zinkcukacha zokusebenza sele zikhutshiwe. Ukuba sesichengeni kwachongwa ngumphandi wokhuseleko njengenxalenye yenkqubo ye-bounty ye-HackerOne yomngcipheko.

Njengomsebenzi wokusebenza, umlawuli uye wacetyiswa ukuba akhubaze ukungenisa kwe-GitHub (kwi-intanethi ye-GitLab: "Imenyu" -> "Umlawuli" -> "Useto" -> "Ngokubanzi" -> "Ukubonakala kunye nolawulo lokufikelela" -> «Imithombo yokungenisa ngaphandle» -> khubaza «GitHub»).

Emva koko kwaye ngaphantsi kweveki GitLab Ndipapasha uluhlu olulandelayo lokulungisa uhlaziyo kwiqonga labo lophuhliso lwentsebenziswano: 15.3.2, 15.2.4, kunye ne-15.1.6, elungisa ubuthathaka besibini obubalulekileyo.

zidweliswe ngaphantsi CVE-2022-2992, obu buthathaka buvumela umsebenzisi oqinisekisiweyo ukuba enze ikhowudi ukude kwiseva. Njengomngcipheko we-CVE-2022-2884 owenziwe kwiveki ephelileyo, kukho umba omtsha we-API wokungenisa idatha kwinkonzo yeGitHub. Ubuthathaka buzibonakalisa, phakathi kwezinye izinto, ekukhutshweni kwe-15.3.1, 15.2.3, kunye ne-15.1.5, apho ubuthathaka bokuqala kwikhowudi yokungenisa evela kwi-GitHub yalungiswa.

Akukho zinkcukacha zokusebenza sele zikhutshiwe. Ukuba sesichengeni kungeniswe kwi-GitLab njengenxalenye yenkqubo ye-bounty ye-HackerOne, kodwa ngokungafaniyo nomba wangaphambili, ichongiwe ngomnye umxhasi.

Njengomsebenzi wokusebenza, umlawuli uyacetyiswa ukuba akhubaze ukungenisa elizweni kwinqaku le-GitHub (kwi-intanethi ye-GitLab: "Imenyu" -> "Ulawulo" -> "Useto" -> "Ngokubanzi" -> "Ukubonakala kunye nolawulo lokufikelela" -> «Imithombo yokungenisa ngaphandle» -> khubaza «GitHub»).

Kwakhona, uhlaziyo olucetywayo lungisa 14 ubuthathaka ngakumbi, ezimbini kuzo ziphawulwe njengeziyingozi, ishumi zinenqanaba lobunzima obuphakathi kwaye ezimbini ziphawulwe njengezingekho yingozi.

Oku kulandelayo kubonwa njengokuyingozi: ukuba sesichengeni CVE-2022-2865, ekuvumela ukuba wongeze ikhowudi yakho yeJavaScript kumaphepha aboniswe kwabanye abasebenzisi ngokuguqulwa kweelebhile zemibala,

Bekunokwenzeka ukuxhaphaza ubuthathaka ngokuqwalasela uphawu lombala weleyibhile enokukhokelela kwi-XSS egciniweyo evumele abahlaseli ukuba benze iintshukumo ezithandabuzekayo egameni lamaxhoba kwicala lomxhasi. 

Olunye ubuthathaka obuthe basonjululwa ngothotho olutsha lwezilungiso, yi I-CVE-2022-2527, eyenza kube lula ukutshintsha umxholo wayo ngokusebenzisa inkalo yenkcazo kuluhlu lwexesha lwesikali seZehlo). Ubuthathaka obuphakathi bunxulumene ikakhulu nokwalelwa ukubakho kwenkonzo.

Ukunqongophala kobungqina bobude kwiinkcazo ze-Snippet kwi-GitLab CE/EE echaphazela zonke iinguqulelo ngaphambi kwe-15.1.6, zonke iinguqulelo ukusuka kwi-15.2 ngaphambi kwe-15.2.4, zonke iinguqulelo ukusuka kwi-15.3 ngaphambi kwe-15.3.2 ivumela umhlaseli oqinisekisiweyo ukuba enze i-snippet enkulu ngokukhohlakeleyo. ukuba, xa iceliwe kunye okanye ngaphandle koqinisekiso, ibangele umthwalo ogqithisileyo kumncedisi, onokuthi ukhokhelele ekwaliwe kwenkonzo.

Kobunye ubuthathaka ezasonjululwa:

  • Ubhaliso lwepakethe aluhloniphi ngokupheleleyo uluhlu lweqela lokuvumela i-IP, i-GitLab ayizange iqinisekise ngokufanelekileyo ngokuchasene nePackage Registry xa izithintelo zedilesi ye-IP zicwangcisiwe, ukuvumela umhlaseli osele enophawu lokusasaza olusebenzayo ukuba ayisebenzise gwenxa nakweyiphi na indawo.
  • Ukusebenzisa kakubi iifowuni ze-Gitaly.GetTreeEntries zikhokelela ekukhanyeni kwenkonzo, ukuvumela umsebenzisi oqinisekisiweyo kunye nogunyazisiweyo ukuba akhuphe izixhobo zomncedisi ngokungenisa iprojekthi enobungozi.
  • Izicelo ezinokubakho ze-HTTP ezinokubakho kwi-.ipynb Notebook enethegi yefomu enobungozi, evumela umhlaseli ukuba akhuphe izicelo ezingafanelekanga ze-HTTP.
  • Ukwaliwa kwenkonzo rhoqo ngegalelo eliyiliweyo kuvumele umhlaseli aqalise ukusetyenziswa kwe-CPU ephezulu ngegalelo elenziwe ngobuchule elongezwe kwindawo yokuqinisekisa umyalezo.
  • Ukubhengezwa kolwazi kusetyenziswa iimbekiselo ze-GFM ezinganyanzelekanga ezimelwe kwiziganeko zomda weziganeko
  • Funda umxholo wogcino ngokusebenzisa umsebenzi we-LivePreview: Kwakunokwenzeka ukuba umsebenzisi ongagunyaziswanga afunde umxholo wogcino ukuba ilungu leprojekthi lisebenzise ikhonkco elenziwe.
  • Ukwala iNkonzo nge-API xa usenza isebe: Ukuphathwa kwedatha engafanelekanga ekudalweni kwesebe kwakunokusetyenziswa ukubangela ukusetyenziswa kwe-CPU ephezulu.
  • Ukwalelwa kwenkonzo ngokujonga umba

Okokugqibela, ukuba unomdla wokwazi okungakumbi ngayo, unokujonga kwiinkcukacha Kule khonkco ilandelayo.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.