ProHoster > Pūnaewele > nūhou pūnaewele > ʻO ka vulnerability i ka pac-resolver NPM package me 3 miliona mau hoʻoiho i kēlā me kēia pule

ʻO ka vulnerability i ka pac-resolver NPM package me 3 miliona mau hoʻoiho i kēlā me kēia pule

ʻO ka pōʻai NPM pac-resolver, aia ma luna o 3 miliona mau hoʻoiho i kēlā me kēia pule, he nāwaliwali (CVE-2021-23406) e hiki ai i kāna code JavaScript ke hoʻokō ʻia i loko o ka pōʻaiapili o ka noi ke hoʻouna ʻana i nā noi HTTP mai nā papahana Node.js. kākoʻo i ka hana hoʻonohonoho auto-configuration server proxy.

Hoʻopili ka pūʻolo pac-resolver i nā faila PAC me kahi palapala hoʻonohonoho koho koho. Aia ka waihona PAC i ka code JavaScript maʻamau me kahi hana FindProxyForURL e wehewehe ana i ka loiloi no ke koho ʻana i kahi koho ma muli o ka mea hoʻokipa a me ka URL i noi ʻia. ʻO ke kumu o ka nāwaliwali, ʻo ia ka hoʻokō ʻana i kēia code JavaScript ma ka pac-resolver, ua hoʻohana ʻia ka VM API i hāʻawi ʻia ma Node.js, e hiki ai iā ʻoe ke hoʻokō i ka code JavaScript ma kahi ʻano ʻokoʻa o ka mīkini V8.

Ua hōʻailona maopopo ʻia ka API i ʻōlelo ʻia ma ka palapala ʻaʻole i manaʻo ʻia no ka holo ʻana i ka code hilinaʻi ʻole, no ka mea, ʻaʻole ia e hāʻawi i kahi kaʻawale piha o ke code e holo nei a hiki ke komo i ka pōʻaiapili kumu. Ua hoʻoholo ʻia ka pilikia ma ka pac-resolver 5.0.0, i hoʻoneʻe ʻia e hoʻohana i ka waihona vm2, e hāʻawi ana i kahi pae kiʻekiʻe o ka kaʻawale kūpono no ka holo ʻana i nā code hilinaʻi ʻole.

ʻO ka vulnerability i ka pac-resolver NPM package me 3 miliona mau hoʻoiho i kēlā me kēia pule

I ka hoʻohana ʻana i kahi mana pac-resolver, hiki i ka mea hoʻouka ma o ka hoʻouna ʻana i kahi faila PAC i hoʻolālā kūikawā ke hoʻokō i kāna code JavaScript ma ke ʻano o ke code o kahi papahana me Node.js, inā hoʻohana kēia papahana i nā hale waihona puke i loaʻa nā hilinaʻi. me ka pac-resolver. ʻO ka mea kaulana loa o nā hale waihona puke pilikia ʻo Proxy-Agent, i helu ʻia ma ke ʻano he hilinaʻi ma nā papahana 360, me urllib, aws-cdk, mailgun.js a me firebase-mea hana, ʻoi aku ma mua o ʻekolu miliona mau hoʻoiho i kēlā me kēia pule.

Inā hoʻouka kekahi palapala noi e hilinaʻi ana i ka pac-resolver i kahi faila PAC i hāʻawi ʻia e kahi ʻōnaehana e kākoʻo ana i ka protocol configuration automatic WPAD proxy, a laila hiki i nā mea hoʻouka me ke komo ʻana i ka pūnaewele kūloko ke hoʻohana i ka hāʻawi ʻana i nā koho koho ma o DHCP e hoʻokomo i nā faila PAC maikaʻi ʻole.

Source: opennet.ru

Pākuʻi i ka manaʻo hoʻopuka