PT-2020-12285 · Eclipse · Eclipse Che
Published
2020-04-03
·
Updated
2021-12-20
·
CVE-2020-10689
CVSS v3.1
6.8
Medium
| Vector | AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Eclipse Che versions up to 7.8.x
Description
A flaw was found in Eclipse Che where it did not properly restrict access to workspace pods. An authenticated user can exploit this flaw to bypass JWT proxy and gain access to the workspace pods of another user. Successful exploitation requires knowledge of the service name and namespace of the target pod.
Recommendations
For Eclipse Che versions up to 7.8.x, restrict access to workspace pods to prevent unauthorized access until a patch is available.
As a temporary workaround, consider implementing additional access controls to the workspace pods to minimize the risk of exploitation.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Eclipse Che