ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > Nuglaanta xirmada xal-u-helidda NPM oo leh 3 milyan oo la soo dejiyo todobaadkii

Nuglaanta xirmada xal-u-helidda NPM oo leh 3 milyan oo la soo dejiyo todobaadkii

Xirmada NPM ee xal-u-helidda, oo leh in ka badan 3 milyan oo la soo dejiyo asbuucii, ayaa leh nuglaanta (CVE-2021-23406) taas oo u oggolaanaysa koodka JavaScript in lagu fuliyo macnaha guud ee codsiga marka laga soo diro codsiyada HTTP ee mashaariicda Node.js Taageerada hawl-qaabaynta otomaatiga ah ee server-ka.

Xirmada xal-u-helidda waxay kala saartaa faylalka PAC oo ay ku jiraan qoraal qaabeynta wakiil oo toos ah. Faylka PAC wuxuu ka kooban yahay koodka JavaScript ee caadiga ah oo leh shaqo FindProxyForURL oo qeexaysa macquulka ah ee doorashada wakiil iyadoo ku xiran martigeliyaha iyo URLka la codsaday. Nuxurka nuglaanta ayaa ah in lagu fuliyo koodhka JavaScript ee pac-resolver, VM API ee lagu bixiyo Node.js ayaa la isticmaalay, kaas oo kuu ogolaanaya inaad ku fuliso koodhka JavaScript qaab ka duwan mashiinka V8.

API-ga la cayimay ayaa si cad loogu calaamadeeyay dukumeenti aan loogu talagalin in lagu socodsiiyo koodka aan la aamini karin, maadaama aysan bixinaynin go'doomin dhammaystiran ee koodka la wado oo u ogolaanaya gelitaanka macnaha asalka ah. Arrinka waxaa lagu xalliyay pac-resolver 5.0.0, kaasoo loo raray isticmaalka maktabadda vm2, taasoo bixisa go'doon heer sare ah oo ku habboon socodsiinta kood aan la aamini karin.

Nuglaanta xirmada xal-u-helidda NPM oo leh 3 milyan oo la soo dejiyo todobaadkii

Markaad isticmaalayso nooca nuglaanta ee pac-resolver, weeraryahanku isagoo gudbinaya faylka PAC ee sida gaarka ah loo nashqadeeyay wuxuu ku guulaysan karaa fulinta koodka JavaScript ee macnaha guud ee xeerka mashruuca isagoo isticmaalaya Node.js, haddii mashruucani isticmaalo maktabado leh dad ku tiirsan. oo leh xal-u-helid. Kuwa ugu caansan maktabadaha dhibka leh waa wakiil-Wakiil, oo ku taxan sida ku-tiirsanaanta 360 mashruuc, oo ay ku jiraan urllib, aws-cdk, mailgun.js iyo firebase-tools, oo wadartoodu tahay in ka badan saddex milyan oo la soo dejiyo todobaadkii.

Haddii arjiga leh ku tiirsanaanta xal-u-helka xalinta feylka PAC oo uu bixiyo nidaam taageera WPAD proxy si toos ah habka qaabeynta, markaa weeraryahannada marin u leh shabakada maxalliga ah waxay isticmaali karaan qaybinta goobaha wakiillada iyagoo sii maraya DHCP si ay u geliyaan faylasha PAC xaasidnimo ah.

Source: opennet.ru

Add a comment