Gitlab¶à¸ö°²È«·ì϶·çÏÕ¹«¸æ

°ä²¼¹¦·ò 2019-12-11

·ì϶±àºÅºÍ¼¶±ð


CVE±àºÅ£ºCVE-2019-19604£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2019-19628£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2019-19629£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨


Ó°Ïì°æ±¾


ËùÓеÄGitLabOmnibus°æ±¾

GitLab EE 11.3 ¼°¸ü¸ßµÄ°æ±¾

GitLab EE 10.5 ¼°¸ü¸ßµÄ°æ±¾


·ì϶¸ÅÊö


GitlabÊÇÒ»¸öÓÃÓÚ²Ö¿âÖÎÀíϵͳµÄ¿ªÔ´ÏîÄ¿£¬Ê¹ÓÃGit×÷Ϊ´úÂëÖÎÀí¹¤¾ß£¬²¢ÔÚ´Ë»ù´¡ÉϴÆðÀ´µÄWeb·þÎñ¡£


CVE-2019-19604

git×ÓÄ£¿é¸üвÙ×÷Äܹ»µ¼ÖÂÖ´ÐÐ.gitmodulesÎļþÖнç˵µÄËÁÒâshellºÅÁî¡£


CVE-2019-19628

ÓÉÓÚMaven°ü×¢²á±íµÄ²ÎÊý´¦ÖÃÎÊÌ⣬¿ÉÄܻᵼÖÂȨÏÞÌáÉýºÍijЩǰÌáϵÄÔ¶³Ì´úÂëÖ´Ðзì϶¡£


CVE-2019-19629

µ±½«¹«¹²ÏîĿתÒƵ½Ë½ÓÐ×éʱ£¬Ë½ÓдúÂ뽫ͨ¹ýElasticsearch¼¯³ÉÌṩµÄGroupSearch API»ñÈ¡¡£


·ì϶ÑéÖ¤


EXP:CVE-2019-19604

https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md£»


CVE-2019-19628£¬CVE-2019-19628


ÔÝÎÞEXP/POC¡£


½¨¸´½¨Òé


ÉÏÊöÊÜÓ°Ïì°æ±¾µÄ×°Öþ¡¿ìÉý¼¶µ½×îа汾¡£ÈçÐè¸üУ¬Çëµ½¹ÙÍøÏÂÔØ£ºhttps://about.gitlab.com/update£»

GitLab¹Ø¼ü°²È«°æ±¾£º12.5.4¡¢12.4.6ºÍ12.3.9£»

¸üÐÂGitÒÀÀµ¹Øϵµ½2.22.2£»

ÈôÊÇÎÞ·¨Éý¼¶£¬Çë˼¿¼½ûÓÃElasticearch¡£


²Î¿¼Á´½Ó


https://about.gitlab.com/blog/2019/12/10/critical-security-release-gitlab-12-5-4-released/