CVE-2023-0957

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-0957
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-0957.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-0957
Published
2023-03-03T08:15:08Z
Modified
2025-01-15T04:38:47.903024Z
Severity
  • 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim’s credentials, because the Origin header is not restricted. This can lead to the extraction of data from workspaces, to a full takeover of the workspace.

References

Affected packages

Git / github.com/gitpod-io/gitpod

Affected ranges

Type
GIT
Repo
https://github.com/gitpod-io/gitpod
Events

Affected versions

0.*

0.6.0

Other

2022-11-1-rc1

2022.*

2022.02.0-rc1
2022.03.0
2022.03.0-rc0
2022.04.0-rc0
2022.05.0
2022.05.0-rc1
2022.11.0
2022.11.0-rc0
2022.11.1
2022.11.1-rc0

poolkeeper-v1.*

poolkeeper-v1.0.0

v0.*

v0.10.0-nightly
v0.6.0-beta3
v0.9.0-alpha1