Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-8PGC-65MJ-53H5
HistoryJul 19, 2024 - 6:31 a.m.

github.com/gitpod-io/gitpod vulnerable to Cookie Tossing

2024-07-1906:31:13
CWE-15
GitHub Advisory Database
github.com
1
github
gitpod
cookie tossing
vulnerability
subdomain control

CVSS3

4.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

AI Score

6.5

Confidence

High

JSON

Versions of the package github.com/gitpod-io/gitpod/components/server/go/pkg/lib before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/auth before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/server before main-gha.27122; versions of the package @gitpod/gitpod-protocol before 0.1.5-main-gha.27122 are vulnerable to Cookie Tossing due to a missing __Host- prefix on the gitpod_io_jwt2 session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JWT so that specific actions taken by the victim (such as connecting a new Github organization) are actioned by the attackers session.

Affected configurations

Vulners
Node
github.com\/gitpodio\/gitpodRange≀0.8.0
VendorProductVersionCPE
github.com\/gitpodio\/gitpod*cpe:2.3:a:github.com\/gitpod:io\/gitpod:*:*:*:*:*:*:*:*

References

Related

nvd 1
osv 3
veracode 1
cvelist 1
vulnrichment 1
cve 1
nvd
nvd
CVE-2024-21583
2024-07-19 05:15:10
osv
osv
CVE-2024-21583
2024-07-19 05:15:10
github.com/gitpod-io/gitpod vulnerable to Cookie Tossing
2024-07-19 06:31:13
CVE-2024-21583 in github.com/gitpod-io/gitpod
2024-07-22 18:24:38
veracode
veracode
Cookie Tossing
2024-07-22 20:07:31
cvelist
cvelist
CVE-2024-21583
2024-07-19 05:00:01
vulnrichment
vulnrichment
CVE-2024-21583
2024-07-19 05:00:01
cve
cve
CVE-2024-21583
2024-07-19 05:15:10

CVSS3

4.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

AI Score

6.5

Confidence

High

JSON
Related for GHSA-8PGC-65MJ-53H5
nvd1osv3veracode1cvelist1vulnrichment1cve1