CVE-2023-0957 - OpenCVE

An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim’s credentials, because the Origin header is not restricted. This can lead to the extraction of data from workspaces, to a full takeover of the workspace.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Gitpod	Gitpod

Configuration 1 [-]

cpe:2.3:a:gitpod:gitpod:*:*:*:*:*:*:*:*

References

Link	Resource
https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=default&orgId=71ccd717-aa2d-4a1e-942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d	Vendor Advisory
https://github.com/gitpod-io/gitpod/commit/12956988eec0031f42ffdfa3bdc3359f65628f9f	Patch
https://github.com/gitpod-io/gitpod/commit/673ab6856fa04c13b7b1f2a968e4d090f1d94e4f	Patch
https://github.com/gitpod-io/gitpod/pull/16378	Issue Tracking Patch
https://github.com/gitpod-io/gitpod/pull/16405	Issue Tracking Patch
https://github.com/gitpod-io/gitpod/releases/tag/release-2022.11.2	Release Notes
https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2023-03-03T07:00:41.041Z

Updated: 2023-03-03T07:00:41.041Z

Reserved: 2023-02-22T16:03:07.508Z

Link: CVE-2023-0957

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-03-03T08:15:08.613

Modified: 2023-03-10T19:04:18.057

Link: CVE-2023-0957

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-0957", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-02-22T16:03:07.508Z", "datePublished": "2023-03-03T07:00:41.041Z", "dateUpdated": "2023-03-03T07:00:41.041Z"}, "containers": {"cna": {"affected": [{"product": "Gitpod", "vendor": "Gitpod", "versions": [{"lessThan": "2022.11.2", "status": "affected", "version": "0", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2023-03-03T07:00:41.041Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim\u2019s credentials, because the Origin header is not restricted. This can lead to the extraction of data from workspaces, to a full takeover of the workspace."}], "references": [{"url": "https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=default&orgId=71ccd717-aa2d-4a1e-942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d"}, {"url": "https://github.com/gitpod-io/gitpod/releases/tag/release-2022.11.2"}, {"url": "https://github.com/gitpod-io/gitpod/pull/16378"}, {"url": "https://github.com/gitpod-io/gitpod/pull/16405"}, {"url": "https://github.com/gitpod-io/gitpod/commit/12956988eec0031f42ffdfa3bdc3359f65628f9f"}, {"url": "https://github.com/gitpod-io/gitpod/commit/673ab6856fa04c13b7b1f2a968e4d090f1d94e4f"}, {"url": "https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1385", "description": "CWE-1385 Missing Origin Validation in WebSockets"}]}], "credits": [{"lang": "en", "value": "Elliot Ward, Snyk"}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitpod:gitpod:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA92F145-3FE3-4749-AA7B-648BC0588E31", "versionEndExcluding": "2022.11.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim\u2019s credentials, because the Origin header is not restricted. This can lead to the extraction of data from workspaces, to a full takeover of the workspace."}], "id": "CVE-2023-0957", "lastModified": "2023-03-10T19:04:18.057", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 6.0, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2023-03-03T08:15:08.613", "references": [{"source": "report@snyk.io", "tags": ["Vendor Advisory"], "url": "https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=default&orgId=71ccd717-aa2d-4a1e-942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/gitpod-io/gitpod/commit/12956988eec0031f42ffdfa3bdc3359f65628f9f"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/gitpod-io/gitpod/commit/673ab6856fa04c13b7b1f2a968e4d090f1d94e4f"}, {"source": "report@snyk.io", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/gitpod-io/gitpod/pull/16378"}, {"source": "report@snyk.io", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/gitpod-io/gitpod/pull/16405"}, {"source": "report@snyk.io", "tags": ["Release Notes"], "url": "https://github.com/gitpod-io/gitpod/releases/tag/release-2022.11.2"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1385"}], "source": "report@snyk.io", "type": "Secondary"}]}