52 matches found
CVE-2024-21583
CWE/CVE: CVE-2024-21583 affects Gitpod components and protocol (e.g., components/server/go/pkg/lib, components/ws-proxy/pkg/proxy, installer/auth/public-api-server/server, and @gitpod/gitpod-protocol; before main-gha.27122) with a Cookie Tossing flaw due to a missing __Host- prefix on the gitpod_...
PT-2024-18969 · Gitpod · Gitpod
Name of the Vulnerable Software and Affected Versions: github.com/gitpod-io/gitpod/components/server/go/pkg/lib versions before main-gha.27122 github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy versions before main-gha.27122 github.com/gitpod-io/gitpod/install/installer/pkg/components/auth...
Cookie Tossing
Overview Affected versions of this package are vulnerable to Cookie Tossing due to a missing Host- prefix on the gitpodiojwt2 session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JW...
Cookie Tossing
Overview Affected versions of this package are vulnerable to Cookie Tossing due to a missing Host- prefix on the gitpodiojwt2 session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JW...
Cookie Tossing
Overview Affected versions of this package are vulnerable to Cookie Tossing due to a missing Host- prefix on the gitpodiojwt2 session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JW...
Cookie Tossing
Overview Affected versions of this package are vulnerable to Cookie Tossing due to a missing Host- prefix on the gitpodiojwt2 session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JW...
Cookie Tossing
Overview Affected versions of this package are vulnerable to Cookie Tossing due to a missing Host- prefix on the gitpodiojwt2 session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JW...
Cookie Tossing
Overview Affected versions of this package are vulnerable to Cookie Tossing due to a missing Host- prefix on the gitpodiojwt2 session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JW...
Cross-Site Scripting (XSS)
github.com/gitpod-io/gitpod is vulnerable to Cross-Site Scripting XSS attacks. The library does not properly check for user input URLs which leads to redirection for some protocols outside of the trusted set of three vscode: vscode-insiders: jetbrains-gateway:, allowing an attacker to execute...
GHSA-GQX9-H3W2-FPRG Gitpod vulnerable to Cross-site Scripting
Gitpod before 2022.11.3 allows XSS because redirection can occur for some protocols outside of the trusted set of three vscode: vscode-insiders: jetbrains-gateway:...
Gitpod vulnerable to Cross-site Scripting
Gitpod before 2022.11.3 allows XSS because redirection can occur for some protocols outside of the trusted set of three vscode: vscode-insiders: jetbrains-gateway:...
CVE-2023-32766
Gitpod before 2022.11.3 allows XSS because redirection can occur for some protocols outside of the trusted set of three vscode: vscode-insiders: jetbrains-gateway:...
CVE-2023-32766
Gitpod before 2022.11.3 allows XSS because redirection can occur for some protocols outside of the trusted set of three vscode: vscode-insiders: jetbrains-gateway:...
Cross site scripting
Gitpod before 2022.11.3 allows XSS because redirection can occur for some protocols outside of the trusted set of three vscode: vscode-insiders: jetbrains-gateway:...
CVE-2023-32766
Gitpod before 2022.11.3 allows XSS because redirection can occur for some protocols outside of the trusted set of three vscode: vscode-insiders: jetbrains-gateway:...
Gitpod 跨站脚本漏洞
Gitpod is an open source Kubernetes application for automated and ready-to-use code development environments that can be integrated into your existing workflow. A security vulnerability exists in Gitpod versions prior to 2022.11.3, which stems from the presence of a cross-site scripting XSS...
CVE-2023-32766
CVE-2023-32766 affects Gitpod prior to 2022.11.3, where an XSS arises from redirects to non-trusted protocols outside the approved set (vscode:, vscode-insiders:, jetbrains-gateway:). The root cause is improper URL handling that allows attacker-controlled or crafted URLs to redirect a user’s brow...
CVE-2023-32766
Gitpod before 2022.11.3 allows XSS because redirection can occur for some protocols outside of the trusted set of three vscode: vscode-insiders: jetbrains-gateway:...
PT-2023-24012 · Gitpod · Gitpod
Name of the Vulnerable Software and Affected Versions: Gitpod versions prior to 2022.11.3 Description: The issue allows for XSS because redirection can occur for some protocols outside of the trusted set of three, which includes vscode:, vscode-insiders:, and jetbrains-gateway:. Recommendations:...
CVE-2023-0957
An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking CSWSH vulnerability that allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim’s credentials, because the Origin header is not restricted. This...