An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim’s credentials, because the Origin header is not restricted. This can lead to the extraction of data from workspaces, to a full takeover of the workspace.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: snyk
Published: 2023-03-03T07:00:41.041Z
Updated: 2023-03-03T07:00:41.041Z
Reserved: 2023-02-22T16:03:07.508Z
Link: CVE-2023-0957
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-03-03T08:15:08.613
Modified: 2023-03-10T19:04:18.057
Link: CVE-2023-0957
JSON object: View
Redhat Information
No data.