PT-2023-16641 · Gitpod · Gitpod

Govulnbot

Published

2023-03-03

Updated

2023-03-10

CVE-2023-0957

CVSS v3.1

9.6

Critical

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Gitpod versions prior to release-2022.11.2.16

Description The issue allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim’s credentials due to the lack of restriction on the Origin header. This can lead to the extraction of data from workspaces or a full takeover of the workspace.

Recommendations For versions prior to release-2022.11.2.16, update to release-2022.11.2.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the Gitpod JSONRPC server to minimize the risk of exploitation.

Fix

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-346CWE-1385

Related Identifiers

CVE-2023-0957

Affected Products

Gitpod

PT-2023-16641 · Gitpod · Gitpod

CVE-2023-0957

Weakness Enumeration

Related Identifiers

Affected Products

References · 10