Elliot Ward

**Name of the Vulnerable Software and Affected Versions** github.com/gitpod-io/gitpod/components/server/go/pkg/lib versions before main-gha.27122 github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy versions before main-gha.27122 github.com/gitpod-io/gitpod/install/installer/pkg/components/auth versions before main-gha.27122 github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server versions before main-gha.27122 github.com/gitpod-io/gitpod/install/installer/pkg/components/server versions before main-gha.27122 @gitpod/gitpod-protocol versions before 0.1.5-main-gha.27122 **Description** The issue is due to a missing Host- prefix on the ` gitpod io jwt2 ` session cookie, allowing an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane. This can be assigned to an attacker's own JWT, enabling them to perform specific actions taken by the victim, such as connecting a new Github organization. **Recommendations** For github.com/gitpod-io/gitpod/components/server/go/pkg/lib versions before main-gha.27122, update to a version after main-gha.27122. For github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy versions before main-gha.27122, update to a version after main-gha.27122. For github.com/gitpod-io/gitpod/install/installer/pkg/components/auth versions before main-gha.27122, update to a version after main-gha.27122. For github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server versions before main-gha.27122, update to a version after main-gha.27122. For github.com/gitpod-io/gitpod/install/installer/pkg/components/server versions before main-gha.27122, update to a version after main-gha.27122. For @gitpod/gitpod-protocol versions before 0.1.5-main-gha.27122, update to version 0.1.5-main-gha.27122 or later.

**Name of the Vulnerable Software and Affected Versions** shescape versions 1.5.10 through 1.6.1 **Description** The issue is related to a Regular Expression Denial of Service (ReDoS) vulnerability via the `escape` function in `index.js`, due to the usage of insecure regex in the `escapeArgBash` function. This affects users who use shescape to escape arguments for the Unix shell Bash or any not-officially-supported Unix shell, using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. An attacker can cause polynomial backtracking in terms of the input string length. **Recommendations** For shescape versions 1.5.10 through 1.6.1, upgrade to version 1.6.1 to patch the vulnerability. As a temporary workaround, consider enforcing a maximum length on input strings to shescape to reduce the impact of the vulnerability.