CVE-2020-10689

Eclipse Che (up to 7.8.x) contains a access control flaw where an authenticated user can bypass the JWT proxy to access another user’s workspace pods. Exploitation requires knowledge of the target pod’s service name and namespace, and the impact affects workspace pod access with partial confident...

CVE-2019-17633

CVE-2019-17633 affects Eclipse Che versions 6.16–7.3.0 when authentication and TLS are disabled; a malicious webpage can trigger the start of an arbitrary Che workspace via local browser requests. The root cause is improper access control under unauthenticated, non-TLS conditions, enabling CSRF-l...

CVE-2020-14368

CVE-2020-14368 affects Eclipse Che (versions prior to 7.14.0) when cookie-based authentication is configured, enabling CSRF due to Theia IDE not setting SameSite correctly and enabling a cross-site WebSocket hijack on the /services endpoint. Attack scenario involves MITM and tricking the user int...

CVE-2021-41034

The CVE concerns Eclipse Che v6: builds of language stacks (Java 8 on Alpine/CentOS, Android, and PHP) pull binaries from an unsecured HTTP endpoint, enabling MITM substitution during the build process. The vulnerability affects the build-time retrieval of binaries, not runtime execution. Root ca...