Kev kho kho tshiab rau kev sib koom ua ke kev txhim kho platform GitLab 14.7.7, 14.8.5 thiab 14.9.2 tshem tawm qhov tsis txaus ntseeg tseem ceeb (CVE-2022-1162) cuam tshuam nrog kev teeb tsa hardcoded password rau cov nyiaj tau sau npe siv OmniAuth (OAuth) tus kws kho mob, LDAP thiab SAML) . Qhov tsis muaj peev xwm tso cai rau tus neeg tawm tsam kom nkag mus rau tus account. Txhua tus neeg siv tau qhia kom nruab qhov hloov tshiab tam sim ntawd. Cov ntsiab lus ntawm qhov teeb meem tseem tsis tau nthuav tawm. Rau cov neeg siv uas lawv cov nyiaj raug cuam tshuam los ntawm qhov teeb meem, pib dua lawv cov passwords. Qhov teeb meem tau txheeb xyuas los ntawm cov neeg ua haujlwm GitLab thiab qhov kev tshawb nrhiav tsis tau nthuav tawm ib qho kev cuam tshuam ntawm cov neeg siv.
Cov ntawv tshiab kuj tshem tawm 16 qhov tsis zoo ntxiv, uas 2 raug cim tias txaus ntshai, 9 yog nruab nrab thiab 5 tsis txaus ntshai. Cov teeb meem txaus ntshai suav nrog qhov muaj peev xwm ntawm HTML txhaj tshuaj (XSS) hauv cov lus (CVE-2022-1175) thiab cov lus pom / piav qhia hauv qhov teeb meem (CVE-2022-1190).
Tau qhov twg los: opennet.ru