Lintlafatso tse lokisoang sethaleng bakeng sa ho hlophisa nts'etsopele ea tšebelisano li phatlalalitsoe - GitLab 16.7.2, 16.6.4 le 16.5.6, e lokisang mefokolo e 'meli ea bohlokoa. Kotsi ea pele (CVE-2023-7028), e fuoeng boemo bo phahameng ka ho fetesisa (10 ho 10), e u lumella ho ts'oara ak'haonte ea motho e mong ka ho qhekella foromo e lebetsoeng ea ho khutlisa password. Kotsi e bakoa ke monyetla oa ho romella lengolo-tsoibila le khoutu ea reset ea password ho liaterese tsa lengolo-tsoibila tse sa netefatsoang. Bothata esale bo hlaha ho tloha ha ho lokolloa GitLab 16.1.0, e hlahisitseng bokhoni ba ho romella khoutu ea ho khutlisa password atereseng ea lengolo-tsoibila e sa netefatsoang.
Ho hlahloba lintlha tsa ho sekisetsa litsamaiso, ho khothaletsoa ho lekola ho gitlab-rails/production_json.log log boteng ba likopo tsa HTTP ho /users/password handler e bonts'ang letoto la li-imeile tse ngata ho "params.value.email". ” parameter. Ho boetse ho khothaletsoa ho lekola likenyo ho gitlab-rails/audit_json.log log ka bohlokoa PasswordsController#create in meta.caller.id le ho bontša lethathamo la liaterese tse ngata ho target_details block. Tlhaselo e ke ke ea phethoa haeba mosebelisi a lumella netefatso ea lintlha tse peli.
Kotsi ea bobeli, CVE-2023-5356, e teng ka har'a khoutu ea ho hokahana le lits'ebeletso tsa Slack le Mattermost, mme e u lumella ho etsa /-litaelo tlasa mosebelisi e mong ka lebaka la khaello ea tumello e nepahetseng. Taba ena e behiloe boemo ba boima ba 9.6 ho 10. Liphetolelo tse ncha li boetse li tlosa ts'oaetso e fokolang (7.6 ho 10) (CVE-2023-4812), e leng se u lumellang hore u fete tumello ea CODEOWNERS ka ho eketsa liphetoho ho tse amohetsoeng pele. kopanye kopo.
Tlhahisoleseding e felletseng mabapi le bofokodi bo bopilweng bo reretswe ho hlahiswa matsatsi a 30 ka mora phatlalatso ya tokiso. Likotsi li ile tsa romelloa ho GitLab e le karolo ea lenaneo la bouneability ea HackerOne.
Source: opennet.ru