GitLab ya buga jerin sabuntawa na gaba na sabuntawa zuwa dandamali don tsara haɓaka haɗin gwiwa - 15.3.2, 15.2.4 da 15.1.6, wanda ke kawar da mummunan rauni (CVE-2022-2992) wanda ke ba da ingantacciyar mai amfani damar aiwatar da lamba daga nesa. akan uwar garken. Kamar raunin CVE-2022-2884, wanda aka gyara mako guda da suka gabata, wata sabuwar matsala tana nan a cikin API don shigo da bayanai daga sabis na GitHub. Har ila yau, rashin lafiyar yana bayyana a cikin sakewa 15.3.1, 15.2.3 da 15.1.5, wanda ya daidaita rashin lafiyar farko a cikin lambar shigo da daga GitHub.
Har yanzu ba a bayar da cikakkun bayanai na aiki ba. An ƙaddamar da bayanai game da raunin ga GitLab a matsayin wani ɓangare na shirin kyauta na HackerOne, amma ba kamar matsalar da ta gabata ba, wani ɗan takara ya gano shi. A matsayin tsarin aiki, ana ba da shawarar cewa mai gudanarwa ya kashe aikin shigo da kayan daga GitHub (a cikin gidan yanar gizon GitLab: "Menu" -> "Admin" -> "Saituna" -> "Gaba ɗaya" -> "Ganuwa da ikon sarrafawa" - > "Shigo da tushen" -> kashe "GitHub").
Bugu da kari, sabuntawar da aka gabatar sun gyara wasu lahani guda 14, biyu daga cikinsu suna da alamar haɗari, goma an sanya matsakaicin matakin haɗari, biyu kuma ana yiwa alama mara kyau. Ana gane waɗannan a matsayin masu haɗari: raunin CVE-2022-2865, wanda ke ba ka damar ƙara lambar JavaScript naka zuwa shafukan da aka nuna wa wasu masu amfani ta hanyar yin amfani da alamun launi, da kuma raunin CVE-2022-2527, wanda ya sa ya yiwu musanya abun cikin ku ta filin bayanin a cikin ma'auni na abubuwan da suka faru). Matsakaicin raunin raunin yana da alaƙa da yuwuwar hana sabis.
source: budenet.ru