Zosintha zowongolera pa nsanja yachitukuko cha GitLab 14.8.2, 14.7.4 ndi 14.6.5 zimachotsa chiwopsezo chachikulu (CVE-2022-0735) chomwe chimalola wogwiritsa ntchito wosaloledwa kuchotsa zizindikiro zolembetsa mu GitLab Runner, yomwe imagwiritsidwa ntchito kuitana osamalira. pomanga kachidindo ka polojekiti mu dongosolo lophatikizana losalekeza. Tsatanetsatane sanaperekedwe, kokha kuti vutoli limayambitsidwa ndi kutayikira kwa chidziwitso mukamagwiritsa ntchito malamulo a Quick Actions.
Nkhaniyi idadziwika ndi ogwira ntchito ku GitLab ndipo imakhudza mitundu 12.10 mpaka 14.6.5, 14.7 mpaka 14.7.4, ndi 14.8 mpaka 14.8.2. Ogwiritsa ntchito omwe amasunga makhazikitsidwe a GitLab amalangizidwa kuti akhazikitse zosinthazo kapena kugwiritsa ntchito chigambacho posachedwa. Nkhaniyi idathetsedwa poletsa mwayi wopeza malamulo a Quick Actions kwa ogwiritsa ntchito okha omwe ali ndi chilolezo cholemba. Mukayika zosintha kapena zigamba za "token-prefix", zizindikiro zolembetsa mu Runner zomwe zidapangidwa kale m'magulu ndi ma projekiti zidzakonzedwanso ndikusinthidwanso.
Kuphatikiza pa chiwopsezo chachikulu, mitundu yatsopanoyi imachotsanso ziwopsezo zochepera za 6 zomwe zingapangitse wogwiritsa ntchito wopanda mwayi kuwonjezera ogwiritsa ntchito ena m'magulu, zabodza za ogwiritsa ntchito mwakusintha zomwe zili mu Snippets, kutayikira kwamitundu yosiyanasiyana ya chilengedwe kudzera mu njira yotumizira maimelo, kudziwa kupezeka kwa ogwiritsa ntchito kudzera mu GraphQL API, kutayikira kwa mawu achinsinsi poyang'ana zosungira kudzera pa SSH mu kukoka, kuukira kwa DoS kudzera munjira yopereka ndemanga.
Source: opennet.ru