Gitlab¶à¸öÇå¾²Îó²îΣº¦Í¨¸æ

Ðû²¼Ê±¼ä 2019-12-11

Îó²î±àºÅºÍ¼¶±ð


CVE±àºÅ£ºCVE-2019-19604£¬£¬£¬ £¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬ £¬£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2019-19628£¬£¬£¬ £¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬ £¬£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2019-19629£¬£¬£¬ £¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬ £¬£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨


Ó°Ïì°æ±¾


ËùÓеÄGitLabOmnibus°æ±¾

GitLab EE 11.3 ¼°¸ü¸ßµÄ°æ±¾

GitLab EE 10.5 ¼°¸ü¸ßµÄ°æ±¾


Îó²î¸ÅÊö


GitlabÊÇÒ»¸öÓÃÓÚ¿ÍÕ»ÖÎÀíϵͳµÄ¿ªÔ´ÏîÄ¿£¬£¬£¬ £¬£¬Ê¹ÓÃGit×÷Ϊ´úÂëÖÎÀí¹¤¾ß£¬£¬£¬ £¬£¬²¢ÔÚ´Ë»ù´¡ÉϴÆðÀ´µÄWebЧÀÍ¡£¡£¡£


CVE-2019-19604

git×ÓÄ£¿£¿ £¿£¿£¿£¿£¿£¿é¸üвÙ×÷¿ÉÒÔµ¼ÖÂÖ´ÐÐ.gitmodulesÎļþÖнç˵µÄí§ÒâshellÏÂÁî¡£¡£¡£


CVE-2019-19628

ÓÉÓÚMaven°ü×¢²á±íµÄ²ÎÊý´¦Öóͷ£ÎÊÌ⣬£¬£¬ £¬£¬¿ÉÄܻᵼÖÂȨÏÞÌáÉýºÍijЩÌõ¼þϵÄÔ¶³Ì´úÂëÖ´ÐÐÎó²î¡£¡£¡£


CVE-2019-19629

µ±½«¹«¹²ÏîĿתÒƵ½Ë½ÓÐ×éʱ£¬£¬£¬ £¬£¬Ë½ÓдúÂ뽫ͨ¹ýElasticsearch¼¯³ÉÌṩµÄGroupSearch API»ñÈ¡¡£¡£¡£


Îó²îÑéÖ¤


EXP:CVE-2019-19604

https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md£»£»£»£»£»£»£»£»


CVE-2019-19628£¬£¬£¬ £¬£¬CVE-2019-19628


ÔÝÎÞEXP/POC¡£¡£¡£


ÐÞ¸´½¨Òé


ÉÏÊöÊÜÓ°Ïì°æ±¾µÄ×°Öþ¡¿ìÉý¼¶µ½×îа汾¡£¡£¡£ÈçÐè¸üУ¬£¬£¬ £¬£¬Çëµ½¹ÙÍøÏÂÔØ£ºhttps://about.gitlab.com/update£»£»£»£»£»£»£»£»

GitLabÒªº¦Çå¾²°æ±¾£º12.5.4¡¢12.4.6ºÍ12.3.9£»£»£»£»£»£»£»£»

¸üÐÂGitÒÀÀµ¹Øϵµ½2.22.2£»£»£»£»£»£»£»£»

ÈôÊÇÎÞ·¨Éý¼¶£¬£¬£¬ £¬£¬Çë˼Á¿½ûÓÃElasticearch¡£¡£¡£


²Î¿¼Á´½Ó


https://about.gitlab.com/blog/2019/12/10/critical-security-release-gitlab-12-5-4-released/