PT-2023-16641 · Gitpod · Gitpod

Govulnbot

Publicado

2023-03-03

Atualizado

2023-03-10

CVE-2023-0957

CVSS v3.1

9.6

Crítica

Vetor

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Gitpod versions prior to release-2022.11.2.16

Description The issue allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim’s credentials due to the lack of restriction on the Origin header. This can lead to the extraction of data from workspaces or a full takeover of the workspace.

Recommendations For versions prior to release-2022.11.2.16, update to release-2022.11.2.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the Gitpod JSONRPC server to minimize the risk of exploitation.

Correção

Origin Validation Error

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-346CWE-1385

Identificadores relacionados

CVE-2023-0957

Produtos afetados

Gitpod

PT-2023-16641 · Gitpod · Gitpod

CVE-2023-0957

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 10