CVE-2024-21583

Name of the Vulnerable Software and Affected Versions github.com/gitpod-io/gitpod/components/server/go/pkg/lib versions before main-gha.27122 github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy versions before main-gha.27122 github.com/gitpod-io/gitpod/install/installer/pkg/components/auth versions before main-gha.27122 github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server versions before main-gha.27122 github.com/gitpod-io/gitpod/install/installer/pkg/components/server versions before main-gha.27122 @gitpod/gitpod-protocol versions before 0.1.5-main-gha.27122

Description The issue is due to a missing Host- prefix on the gitpod io jwt2 session cookie, allowing an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane. This can be assigned to an attacker's own JWT, enabling them to perform specific actions taken by the victim, such as connecting a new Github organization.

Recommendations For github.com/gitpod-io/gitpod/components/server/go/pkg/lib versions before main-gha.27122, update to a version after main-gha.27122. For github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy versions before main-gha.27122, update to a version after main-gha.27122. For github.com/gitpod-io/gitpod/install/installer/pkg/components/auth versions before main-gha.27122, update to a version after main-gha.27122. For github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server versions before main-gha.27122, update to a version after main-gha.27122. For github.com/gitpod-io/gitpod/install/installer/pkg/components/server versions before main-gha.27122, update to a version after main-gha.27122. For @gitpod/gitpod-protocol versions before 0.1.5-main-gha.27122, update to version 0.1.5-main-gha.27122 or later.