gitlab gitlab 通过用户控制密钥绕过授权机制

admin

0
文章

0
评论

2023-11-30 06:34:56 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

gitlab gitlab 通过用户控制密钥绕过授权机制

CVE编号

CVE-2022-2499

利用情况

暂无

补丁情况

N/A

披露时间

2022-08-06

漏洞描述

An issue has been discovered in GitLab EE affecting all versions starting from 13.10 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab's Jira integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Jira issues.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2499.json
https://gitlab.com/gitlab-org/gitlab/-/issues/360800
https://hackerone.com/reports/1538068

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	gitlab	gitlab	*	From (including) 13.10.0	Up to (excluding) 15.0.5
	运行在以下环境
	应用	gitlab	gitlab	*	From (including) 15.1.0	Up to (excluding) 15.1.4
	运行在以下环境
	应用	gitlab	gitlab	15.2	-
	运行在以下环境
	系统	anolis_os_8	nodejs-devel	*		Up to (excluding) 14.21.1-2.0.1
	运行在以下环境
	系统	debian_sid	gitlab	*		Up to (excluding) 16.0.8+ds1-2
	运行在以下环境
	系统	oracle_8	oraclelinux-release	*		Up to (excluding) 2.0.20-2.module+el8.7.0+20895+79a25710