Kugadziridza zvigadziriso zvepuratifomu yekuronga budiriro yemubatanidzwa zvakaburitswa - GitLab 16.7.2, 16.6.4 uye 16.5.6, iyo inogadzirisa matambudziko maviri akanyanya. Kusagadzikana kwekutanga (CVE-2023-7028), iyo yakapihwa iyo yakanyanya kuomarara nhanho (10 kubva pagumi), inobvumidza iwe kutora account yemumwe munhu kuburikidza nekunyengedza fomu rakakanganwa password rekudzoreredza. Kusagadzikana kunokonzerwa nekukwanisa kutumira email ine password reset kodhi kune isina kusimbiswa email kero. Dambudziko rave kuoneka kubva pakaburitswa GitLab 10, iyo yakaunza kugona kutumira password yekudzoreredza kodhi kune isina kusimbiswa email kero.
Kuti utarise chokwadi chekukanganisika kwemasisitimu, zvinotarisirwa kuongorora mu gitlab-rails/production_json.log gita kuvepo kweHTTP zvikumbiro kune /users/password handler inoratidza akatevedzana eemail akati wandei mu "params.value.email β parameter. Zvinokurudzirwawo kutarisa zvakapinda mugitlab-rails/audit_json.log log ine kukosha PasswordsController#create in meta.caller.id uye ichiratidza ndandanda yemakero akati wandei mu target_details block. Kurwiswa hakugone kupedzwa kana mushandisi akagonesa maviri-chinhu kusimbiswa.
Kusagadzikana kwechipiri, CVE-2023-5356, iripo mune kodhi yekubatanidzwa neSlack uye Mattermost masevhisi, uye inobvumidza iwe kuita /-kuraira pasi pemumwe mushandisi nekuda kwekushaikwa kwemvumo yekutarisa. Nyaya yacho inopihwa mwero wekuomarara we9.6 kubva pa10. Mavhezheni matsva anobvisawo kushomeka (7.6 kunze kwe10) kusagadzikana (CVE-2023-4812), iyo inokutendera kuti upfuure mvumo yeCODEOWNERS nekuwedzera shanduko kune yakabvumidzwa kare. batanidza chikumbiro.
Ruzivo rwakadzama nezve kusagadzikana kwakaonekwa kwakarongwa kuburitswa mazuva makumi matatu mushure mekuburitswa kwekugadzirisa. Kusagadzikana kwakaendeswa kuGitLab sechikamu cheHackerOne's vulnerability bounty chirongwa.
Source: opennet.ru