Các bài viết liên quan:
DevOps platform GitLab this week released patch to address a critical security flaw in its software that could result in the arbitrary code execution on affected systems.
Tracked as CVE-2022-2884, the issue is rated 9.9 on the CVSS vulnerability scoring system and affects all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) beginning from 11.3.4 before 15.1.5, 15.2 before 15.2. 3 and 15.3 before 15.3.1.
At its core, the security weakness is a case of authenticated remote code execution that can be enabled through the GitHub Import API. GitLab has credited yvvdwf for detecting and reporting the vulnerability.
While the issue has been resolved in versions 15.3.1, 15.2.3, 15.1.5, users also have the option to protect against the vulnerability by temporarily disabling the GitHub import option –
Click “Menu” -> “Administration” Click “Settings” -> “General” Expand tab “Visibility and Access Control” Under “Import Source”, disable “GitHub” option Click Click “Save Changes”
There is no evidence that the problem is being exploited in natural attacks. That said, users running an affected installation are advised to update to the latest version as soon as possible.
.
