Kutholwe ikhodi enobungozi kuklayenti lokuphumula nakwamanye amaphakheji we-Ruby angu-10

Kuphakheji eliyigugu elidumile ikhasimende lokuphumula, ngesamba esilandiwe esiyizigidi eziyi-113, ikhonjiwe Ukufakwa esikhundleni kwekhodi enonya (CVE-2019-15224) elanda imiyalo esebenzisekayo futhi ithumele ulwazi kumsingathi wangaphandle. Lokhu kuhlasela kwenziwe ngendlela ukuyekethisa Iklayenti lokuphumula le-akhawunti kanjiniyela endaweni ye-rubygems.org, okwathi ngemva kwalokho abahlaseli bashicilela ukukhishwa okungu-13-14 ngo-Agasti 1.6.10 no-1.6.13, okuhlanganisa izinguquko ezinonya. Ngaphambi kokuthi izinguqulo ezinonya zivinjelwe, cishe abasebenzisi abayinkulungwane bakwazi ukuzilanda (abahlaseli bakhiphe izibuyekezo ezinguqulweni ezindala ukuze bangadonsi ukunaka).

Ushintsho olunonya lukhipha indlela ethi "#authenticate" ekilasini
Ubunikazi, ngemva kwalokho ucingo lwendlela ngayinye luphumela ku-imeyili nephasiwedi ethunyelwe ngesikhathi somzamo wokuqinisekisa othunyelwa kumsingathi wabahlaseli. Ngale ndlela, imingcele yokungena yabasebenzisi besevisi abasebenzisa i-Identity class kanye nokufaka inguqulo esengozini yelabhulali yekhasimende elisele iyavinjelwa, okuyinto okufakiwe njengokuncika kumaphakheji amaningi e-Ruby adumile, okuhlanganisa i-ast (ukulanda kwezigidi ezingu-64), i-oauth (izigidi ezingu-32), i-fastlane (izigidi ezingu-18), kanye ne-kubeclient (izigidi ezingu-3.7).

Ngaphezu kwalokho, i-backdoor yengeziwe kukhodi, okuvumela ikhodi ye-Ruby engafanele isetshenziswe ngomsebenzi we-eval. Ikhodi idluliselwa nge-Cookie egunyazwe ukhiye womhlaseli. Ukuze wazise abahlaseli mayelana nokufakwa kwephakheji eliyingozi kumsingathi wangaphandle, i-URL yesistimu yesisulu kanye nokukhethwa kolwazi mayelana nemvelo, njengamaphasiwedi alondoloziwe we-DBMS namasevisi wamafu, kuthunyelwa. Imizamo yokudawuniloda imibhalo yezimayini ze-cryptocurrency yaqoshwa kusetshenziswa ikhodi enonya eshiwo ngenhla.

Ngemva kokufunda ikhodi enonya kwaba kwembulwaukuthi izinguquko ezifanayo zikhona 10 amaphakheji ku-Ruby Gems, engazange ithathwe, kodwa elungiselelwe ngokukhethekile abahlaseli ngokusekelwe kweminye imitapo yolwazi edumile enamagama afanayo, lapho udwi wathathelwa indawo i-underscore noma okuphambene (ngokwesibonelo, ngokusekelwe i-cron-parser iphakheji enobungozi i-cron_parser yakhiwe, futhi isekelwe i-doge_coin iphakethe le-doge-coin enonya). Amaphakheji enkinga:

• coin_base: 4.2.2, 4.2.1
• blockchain_wallet: 0.0.6, 0.0.7
• emangalisayo-bot: 1.18.0
• i-doge-coin: 1.0.2
• imibala ye-capistrano: 0.5.5
• bitcoin_ize: 4.3.3
• I-lita_coin: 0.0.3
• kuyeza maduze: 0.2.8
• omniauth_amazon: 1.0.1
• cron_parser1.0.12, 1.0.13, 0.1.4

Iphakethe lokuqala elinonya kulolu hlu lathunyelwa ngoMeyi 12, kodwa iningi lazo lavela ngoJulayi. Sekukonke, lawa maphakheji alandwe izikhathi ezingaba ngu-2500.

Source: opennet.ru