Kugadziridza zvigadziriso kune yakabatana budiriro chikuva GitLab 14.8.2, 14.7.4 uye 14.6.5 inobvisa yakakosha njodzi (CVE-2022-0735) iyo inobvumira mushandisi asina mvumo kuburitsa ma tokeni ekunyoresa muGitLab Runner, iyo inoshandiswa kufonera vanobata. pakuvaka kodhi yeprojekiti mune inoenderera yekubatanidza system. Details haisati yapihwa, chete kuti dambudziko rinokonzerwa nekuburitswa kweruzivo kana uchishandisa Quick Actions mirairo.
Nyaya iyi yakaonekwa nevashandi veGitLab uye inokanganisa shanduro 12.10 kusvika 14.6.5, 14.7 kusvika 14.7.4, uye 14.8 kusvika 14.8.2. Vashandisi vanochengeta tsika yeGitLab kumisikidzwa vanorairwa kuisa iyo yekuvandudza kana kuisa chigamba nekukurumidza sezvinobvira. Nyaya yakagadziriswa nekurambidza kupinda kune Quick Actions mirairo kune vashandisi chete vane mvumo yekunyora. Mushure mekuisa iyo yekuvandudza kana yemunhu "token-prefix" zvigamba, tokeni dzekunyoresa muRunner dzakambogadzirwa kumapoka nemapurojekiti anozogadziridzwa uye kuvandudzwa.
Pamusoro pekunetseka kwakanyanya, mavhezheni matsva anobvisawo 6 isingaite njodzi iyo inogona kutungamira kune asina rombo mushandisi kuwedzera vamwe vashandisi kumapoka, manyepo evashandisi kuburikidza nekunyengedza zviri mukati meSnippets, kuvuza kwezvakasiyana nharaunda kuburikidza nenzira yekutumira email, kuona kuvepo kwevashandisi kuburikidza neGraphQL API, kuvuza kwemapassword kana uchiratidzira repositori kuburikidza neSSH mukudhonza modhi, DoS kurwisa kuburikidza neiyo mhinduro yekutumira system.
Source: opennet.ru