Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2024-21583
PUBLISHED
More InfoOfficial Page
Assigner-snyk
Assigner Org ID-bae035ff-b466-4ff4-94d0-fc9efd9e1730
View Known Exploited Vulnerability (KEV) details
Published At-19 Jul, 2024 | 05:00
Updated At-31 Oct, 2024 | 13:52
Rejected At-
▼CVE Numbering Authority (CNA)

Versions of the package github.com/gitpod-io/gitpod/components/server/go/pkg/lib before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/auth before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/server before main-gha.27122; versions of the package @gitpod/gitpod-protocol before 0.1.5-main-gha.27122 are vulnerable to Cookie Tossing due to a missing __Host- prefix on the _gitpod_io_jwt2_ session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JWT so that specific actions taken by the victim (such as connecting a new Github organization) are actioned by the attackers session.

Affected Products
Vendor
n/a
Product
github.com/gitpod-io/gitpod/components/server/go/pkg/lib
Versions
Affected
  • From 0 before main-gha.27122 (semver)
Vendor
n/a
Product
github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy
Versions
Affected
  • From 0 before main-gha.27122 (semver)
Vendor
n/a
Product
github.com/gitpod-io/gitpod/install/installer/pkg/components/auth
Versions
Affected
  • From 0 before main-gha.27122 (semver)
Vendor
n/a
Product
github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server
Versions
Affected
  • From 0 before main-gha.27122 (semver)
Vendor
n/a
Product
github.com/gitpod-io/gitpod/install/installer/pkg/components/server
Versions
Affected
  • From 0 before main-gha.27122 (semver)
Vendor
n/a
Product
@gitpod/gitpod-protocol
Versions
Affected
  • From 0 before 0.1.5-main-gha.27122 (semver)
Problem Types
TypeCWE IDDescription
N/AN/ACookie Tossing
Type: N/A
CWE ID: N/A
Description: Cookie Tossing
Metrics
VersionBase scoreBase severityVector
3.14.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N/E:P
Version: 3.1
Base score: 4.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N/E:P
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Elliot Ward (Snyk Security Research)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074
N/A
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075
N/A
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076
N/A
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077
N/A
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078
N/A
https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079
N/A
https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=%5B%E2%80%A6%5D942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d
N/A
https://github.com/gitpod-io/gitpod/pull/19973
N/A
https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155
N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078
Resource: N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079
Resource: N/A
Hyperlink: https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=%5B%E2%80%A6%5D942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d
Resource: N/A
Hyperlink: https://github.com/gitpod-io/gitpod/pull/19973
Resource: N/A
Hyperlink: https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-565CWE-565 Reliance on Cookies without Validation and Integrity Checking
Type: CWE
CWE ID: CWE-565
Description: CWE-565 Reliance on Cookies without Validation and Integrity Checking
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074
x_transferred
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075
x_transferred
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076
x_transferred
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077
x_transferred
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078
x_transferred
https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079
x_transferred
https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=%5B%E2%80%A6%5D942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d
x_transferred
https://github.com/gitpod-io/gitpod/pull/19973
x_transferred
https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155
x_transferred
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074
Resource:
x_transferred
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075
Resource:
x_transferred
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076
Resource:
x_transferred
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077
Resource:
x_transferred
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078
Resource:
x_transferred
Hyperlink: https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079
Resource:
x_transferred
Hyperlink: https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=%5B%E2%80%A6%5D942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d
Resource:
x_transferred
Hyperlink: https://github.com/gitpod-io/gitpod/pull/19973
Resource:
x_transferred
Hyperlink: https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155
Resource:
x_transferred
Details not found