GitLabÉçÇø°æ£¨CE£©ºÍÆóÒµ°æ£¨EE£©·¢²¼ÁË 10.1.2,10.0.6 ºÍ 9.5.10 °æ±¾¡£
ÕâЩ°æ±¾°üº¬¼¸¸ö°²È«ÐÞ¸´³ÌÐò£¬°üÀ¨Ëæ GitLab Omnibus Èí¼þ°üÒ»ÆðÌṩµÄ¼¸¸öµÚÈý·½Ó¦ÓóÌÐòµÄ¸üУ¬·þÎñÆ÷¶ËÇëÇóαÔ죨SSRF£©ÅÔ·ÐÞ¸´³ÌÐò£¬ÖØÐÂÒýÈë´Ó GitLab 10.1 ÖÐÊ¡Â﵀ GitLab Geo °²È«ÐÞ¸´³ÌÐò·¢ÐаæºÍһЩ°²È«Í·Ìí¼Óµ½GitLab API¡£
¾íÇúÖеݲȫ©¶´
curl°üº¬ÔÚGitLab OmnibusÈí¼þ°üÖеİ汾ÒѾ¸üУ¬¿ÉÒÔÐÞ²¹¶à¸ö°²È«Â©¶´¡£
ͨ¹ýÏîÄ¿µ¼Èëµ¼ÖÂSSRF©¶´
EDIOͨ¹ýHackerOne·¢ÏÖGitLab SSRF±£»¤ÏîĿʹÓÃÊ®½øÖÆ£¬°Ë½øÖÆ»òÆäËû¸ñʽµÄIPµØÖ·¡£Õâ¿ÉÄÜ»áÔÊÐí¶ñÒâÓû§½«ÏîÄ¿µ¼Èë·¢ËÍÇëÇóµ½ÔÚGitLabʵÀýµÄ±¾µØ½çÃæÉÏÔËÐеķþÎñ¡£
APIÏìÓ¦ÖÐȱÉÙX-Content-Type-Options±êÍ·
ÔÚÓÉRecurity-Labs½øÐеÄÍⲿ°²È«Éó¼ÆÆڼ䣬·¢ÏÖGitLab APIûÓаüº¬HTTP X-Content-Type-OptionsÍ·¡£Õâ¸ö±êÍ·µÄȱʧ¿ÉÄÜ»áʹ¹¥»÷Õ߸üÈÝÒ×ÀûÓÃÆäËûδ·¢Ïֵĩ¶´ÀûÓÃGitLab API¡£
Èí¼þÏêÇ飺https://about.gitlab.com/2017/11/08/gitlab-10-dot-1-dot-2-security-release/
À´×Ô:¿ªÔ´ÖйúÉçÇø
