Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-21583

Summary
Assigner-snyk
Assigner Org ID-bae035ff-b466-4ff4-94d0-fc9efd9e1730
Published At-19 Jul, 2024 | 05:00
Updated At-31 Oct, 2024 | 13:52
Rejected At-
Credits

Versions of the package github.com/gitpod-io/gitpod/components/server/go/pkg/lib before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/auth before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/server before main-gha.27122; versions of the package @gitpod/gitpod-protocol before 0.1.5-main-gha.27122 are vulnerable to Cookie Tossing due to a missing __Host- prefix on the _gitpod_io_jwt2_ session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JWT so that specific actions taken by the victim (such as connecting a new Github organization) are actioned by the attackers session.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:snyk
Assigner Org ID:bae035ff-b466-4ff4-94d0-fc9efd9e1730
Published At:19 Jul, 2024 | 05:00
Updated At:31 Oct, 2024 | 13:52
Rejected At:
▼CVE Numbering Authority (CNA)

Versions of the package github.com/gitpod-io/gitpod/components/server/go/pkg/lib before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/auth before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/server before main-gha.27122; versions of the package @gitpod/gitpod-protocol before 0.1.5-main-gha.27122 are vulnerable to Cookie Tossing due to a missing __Host- prefix on the _gitpod_io_jwt2_ session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JWT so that specific actions taken by the victim (such as connecting a new Github organization) are actioned by the attackers session.

Affected Products
Vendor
n/a
Product
github.com/gitpod-io/gitpod/components/server/go/pkg/lib
Versions
Affected
  • From 0 before main-gha.27122 (semver)
Vendor
n/a
Product
github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy
Versions
Affected
  • From 0 before main-gha.27122 (semver)
Vendor
n/a
Product
github.com/gitpod-io/gitpod/install/installer/pkg/components/auth
Versions
Affected
  • From 0 before main-gha.27122 (semver)
Vendor
n/a
Product
github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server
Versions
Affected
  • From 0 before main-gha.27122 (semver)
Vendor
n/a
Product
github.com/gitpod-io/gitpod/install/installer/pkg/components/server
Versions
Affected
  • From 0 before main-gha.27122 (semver)
Vendor
n/a
Product
@gitpod/gitpod-protocol
Versions
Affected
  • From 0 before 0.1.5-main-gha.27122 (semver)
Problem Types
TypeCWE IDDescription
N/AN/ACookie Tossing
Type: N/A
CWE ID: N/A
Description: Cookie Tossing
Metrics
VersionBase scoreBase severityVector
3.14.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N/E:P
Version: 3.1
Base score: 4.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N/E:P
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Elliot Ward (Snyk Security Research)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074
N/A
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075
N/A
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076
N/A
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077
N/A
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078
N/A
https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079
N/A
https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=%5B%E2%80%A6%5D942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d
N/A
https://github.com/gitpod-io/gitpod/pull/19973
N/A
https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155
N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079
Resource: N/A
Hyperlink: https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=%5B%E2%80%A6%5D942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d
Resource: N/A
Hyperlink: https://github.com/gitpod-io/gitpod/pull/19973
Resource: N/A
Hyperlink: https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-565CWE-565 Reliance on Cookies without Validation and Integrity Checking
Type: CWE
CWE ID: CWE-565
Description: CWE-565 Reliance on Cookies without Validation and Integrity Checking
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074
x_transferred
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075
x_transferred
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076
x_transferred
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077
x_transferred
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078
x_transferred
https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079
x_transferred
https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=%5B%E2%80%A6%5D942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d
x_transferred
https://github.com/gitpod-io/gitpod/pull/19973
x_transferred
https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155
x_transferred
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074
Resource:
x_transferred
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075
Resource:
x_transferred
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076
Resource:
x_transferred
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077
Resource:
x_transferred
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078
Resource:
x_transferred
Hyperlink: https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079
Resource:
x_transferred
Hyperlink: https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=%5B%E2%80%A6%5D942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d
Resource:
x_transferred
Hyperlink: https://github.com/gitpod-io/gitpod/pull/19973
Resource:
x_transferred
Hyperlink: https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:report@snyk.io
Published At:19 Jul, 2024 | 05:15
Updated At:31 Oct, 2024 | 14:35

Versions of the package github.com/gitpod-io/gitpod/components/server/go/pkg/lib before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/auth before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/server before main-gha.27122; versions of the package @gitpod/gitpod-protocol before 0.1.5-main-gha.27122 are vulnerable to Cookie Tossing due to a missing __Host- prefix on the _gitpod_io_jwt2_ session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JWT so that specific actions taken by the victim (such as connecting a new Github organization) are actioned by the attackers session.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 4.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-15Secondaryreport@snyk.io
CWE-565Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-15
Type: Secondary
Source: report@snyk.io
CWE ID: CWE-565
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=%5B%E2%80%A6%5D942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34dreport@snyk.io
N/A
https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155report@snyk.io
N/A
https://github.com/gitpod-io/gitpod/pull/19973report@snyk.io
N/A
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074report@snyk.io
N/A
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075report@snyk.io
N/A
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076report@snyk.io
N/A
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077report@snyk.io
N/A
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078report@snyk.io
N/A
https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079report@snyk.io
N/A
Hyperlink: https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=%5B%E2%80%A6%5D942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d
Source: report@snyk.io
Resource: N/A
Hyperlink: https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155
Source: report@snyk.io
Resource: N/A
Hyperlink: https://github.com/gitpod-io/gitpod/pull/19973
Source: report@snyk.io
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074
Source: report@snyk.io
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075
Source: report@snyk.io
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076
Source: report@snyk.io
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077
Source: report@snyk.io
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078
Source: report@snyk.io
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079
Source: report@snyk.io
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found