CVE-2020-10689

Eclipse Che (up to 7.8.x) contains a access control flaw where an authenticated user can bypass the JWT proxy to access another user’s workspace pods. Exploitation requires knowledge of the target pod’s service name and namespace, and the impact affects workspace pod access with partial confident...

CVE-2020-14368

CVE-2020-14368 affects Eclipse Che (versions prior to 7.14.0) when cookie-based authentication is configured, enabling CSRF due to Theia IDE not setting SameSite correctly and enabling a cross-site WebSocket hijack on the /services endpoint. Attack scenario involves MITM and tricking the user int...