I-GitLab ipapashe uluhlu olulandelayo lohlaziyo oluchanekileyo kwiqonga layo lokuququzelela uphuhliso lwentsebenziswano - 15.3.2, 15.2.4 kunye ne-15.1.6, esusa ubuthathaka obubalulekileyo (CVE-2022-2992) evumela umsebenzisi oqinisekisiweyo ukuba enze ikhowudi ekude. kumncedisi. Njengobuthathaka be-CVE-2022-2884, eyalungiswa ngeveki edlulileyo, ingxaki entsha ikhona kwi-API yokungenisa idatha kwinkonzo yeGitHub. Ukuba sesichengeni kubonakala kukukhutshwa kwe-15.3.1, 15.2.3 kunye ne-15.1.5, eyalungisa ubuthathaka bokuqala kwikhowudi yokungenisa evela kwi-GitHub.
Iinkcukacha zokusebenza azikanikezelwa. Ulwazi malunga nokuba sesichengeni luye lwangeniswa kwi-GitLab njengenxalenye yenkqubo ye-HackerOne's bounerability, kodwa ngokungafaniyo nengxaki yangaphambili, ichongiwe ngomnye umthathi-nxaxheba. Njengomsebenzi, kucetyiswa ukuba umlawuli avale umsebenzi wokungenisa kwi-GitHub (kwi-intanethi ye-GitLab: "Imenyu" -> "Umlawuli" -> "Useto" -> "Ngokubanzi" -> "Ukubonakala kunye nolawulo lokufikelela" - > "Imithombo yokungenisa" -> khubaza "GitHub").
Ukongeza, uhlaziyo olucetywayo lulungisa ubuthathaka obungakumbi be-14, ezimbini zazo ziphawulwe njengeziyingozi, ezilishumi zibelwa kwinqanaba eliphakathi lengozi, kwaye ezimbini ziphawulwe njengezinobungozi. Oku kulandelayo kubonwa njengokuyingozi: ukuba sesichengeni CVE-2022-2865, ekuvumela ukuba wongeze eyakho ikhowudi yeJavaScript kumaphepha aboniswe kwabanye abasebenzisi ngokukhohlisa iilebhile zemibala, kunye nokuba sesichengeni CVE-2022-2527, eyenza kube lula beka endaweni yesiqulatho sakho ngecandelo lenkcazo kwisikali sexesha lezehlo). Ububuthathaka obuphakathi bunxulunyaniswa ikakhulu nokwalelwa kwenkonzo.
umthombo: opennet.ru