Shanduko yakaipa yakaonekwa mune node-ipc NPM package (CVE-2022-23812), paine mukana we25% wekuti zviri mukati memafaira ese ane mukana wekunyora anotsiviwa neiyo "β€οΈ" hunhu. Iyo yakaipa kodhi inovhurwa chete kana yatangwa pane masisitimu ane IP kero kubva kuRussia kana Belarus. Iyo node-ipc package ine inosvika miriyoni yekurodha pasvondo uye inoshandiswa sekutsamira pamapakeji mazana matatu nemakumi mashanu, kusanganisira vue-cli. Ese mapurojekiti ane node-ipc seanotsamira anobatwawo nedambudziko.
Kodhi yakashata yakatumirwa kune NPM repository sechikamu chenode-ipc 10.1.1 uye 10.1.2 kuburitswa. Shanduko yakashata yakatumirwa kune purojekiti yeGit repository pachinzvimbo chemunyori weprojekiti mazuva gumi nerimwe apfuura. Nyika yakatemwa mukodhi nekufonera api.ipgeolocation.io sevhisi. Kiyi yakasvikirwa ipgeolocation.io API kubva kune yakaipa embed ikozvino yabviswa.
Mumashoko kune yambiro pamusoro pekuonekwa kwekodhi inokanganisika, munyori wepurojekiti iyi akataura kuti shanduko yakafanana nekuwedzera faira kune desktop inoratidza meseji inodaidzira rugare. Muchokwadi, iyo kodhi yakaita kudzokorora kutsvaga kwemadhairekitori nekuyedza kunyora pamusoro mafaera ese akasangana.
Kuburitswa kwenode-ipc 11.0.0 uye 11.1.0 kwakazotumirwa kunzvimbo yeNPM, iyo yakatsiva iyo yakavakirwa-mukati-yakashata kodhi nerekunze kutsamira, "peacenotwar," inodzorwa nemunyori mumwechete uye yakapihwa kuti ibatanidzwe nevanochengeta mapakeji. kupinda mukuratidzira. Zvinonzi iyo peacenotwar package inongoratidza meseji yerunyararo, asi tichifunga nezvezviito zvakatotorwa nemunyori, zvimwe zviri mukati mepakeji hazvifungidzike uye kusavapo kwekuchinja kunoparadza hakuna kuvimbiswa.
Panguva imwecheteyo, kugadziriswa kune yakagadzikana node-ipc 9.2.2 bazi, iyo inoshandiswa neprojekti yeVue.js, yakabudiswa. Mukuburitswa kutsva, mukuwedzera kune peacenotwar, iyo mavara package yakawedzerwa kune rondedzero yevanotsamira, munyori weiyo yakabatanidza shanduko dzinoparadza mukodhi muna Ndira. Iro rezinesi rezenisi rekuburitswa kutsva rakashandurwa kubva kuMIT kuenda kuDBAD.
Sezvo zvimwe zviito zvemunyori zvisingatarisirwi, vashandisi ve node-ipc vanokurudzirwa kugadzirisa zvinotsamira pane shanduro 9.2.1. Zvinokurudzirwawo kugadzirisa mavhezheni ezvimwe zviitiko nemunyori mumwechete akachengetedza 41 mapakeji. Mamwe emapakeji anochengetwa nemunyori mumwechete (js-queue, nyore-stack, js-message, chiitiko-pubsub) ane miriyoni yekurodha pasvondo.
Kuwedzera: Kumwe kuedza kwakarekodhwa kuwedzera zviito kune akasiyana akavhurika mapakeji asina hukama nekuita kwakananga kwekushandisa uye akasungirirwa kune IP kero kana system nzvimbo. Iyo isingakuvadzi pane idzi shanduko (es5-ext, rete, PHP munyori, PHPUnit, Redis Desktop Manager, Awesome Prometheus Alerts, verdaccio, filestash) bhodhora pasi kuratidza mafoni ekupedza hondo yevashandisi vanobva kuRussia neBelarus. Panguva imwecheteyo, zviratidzo zvine njodzi zvakanyanya zvinoonekwa zvakare, semuenzaniso, encryptor yakawedzerwa kuAWS Terraform modules mapakeji uye zvirambidzo zvezvematongerwo enyika zvakaunzwa murezinesi. Tasmota firmware yeESP8266 uye ESP32 zvishandiso ine yakavakirwa-mukati bookmark iyo inogona kuvharira kushanda kwemidziyo. Zvinotendwa kuti chiitiko chakadaro chinogona kukanganisa zvakanyanya kuvimba mune yakavhurika sosi software.
Source: opennet.ru