Today > vulnerabilities   -   You can now download lists of IOCs here!

CVE-2024-21583

July 19, 2024, 1:01 p.m.

Tags

CWE-15
report@snyk.io
2024-07-19
CVE-2024-21583

CVSS Score

4.1 / 10

Product(s) Impacted

github.com/gitpod-io/gitpod/components/server/go/pkg/lib

  • before main-gha.27122

github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy

  • before main-gha.27122

github.com/gitpod-io/gitpod/install/installer/pkg/components/auth

  • before main-gha.27122

github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server

  • before main-gha.27122

github.com/gitpod-io/gitpod/install/installer/pkg/components/server

  • before main-gha.27122

@gitpod/gitpod-protocol

  • before 0.1.5-main-gha.27122

Description

Versions of the package github.com/gitpod-io/gitpod/components/server/go/pkg/lib before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/auth before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/server before main-gha.27122; versions of the package @gitpod/gitpod-protocol before 0.1.5-main-gha.27122 are vulnerable to Cookie Tossing due to a missing __Host- prefix on the _gitpod_io_jwt2_ session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JWT so that specific actions taken by the victim (such as connecting a new Github organization) are actioned by the attackers session.

Weaknesses

CWE-15
External Control of System or Configuration Setting

One or more system settings or configuration elements can be externally controlled by a user.

CWE ID: 15

Date

Published: July 19, 2024, 5:15 a.m.

Last Modified: July 19, 2024, 1:01 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

report@snyk.io

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

Base Score
4.1
Exploitability Score
2.3
Impact Score
1.4
Base Severity
MEDIUM
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

References

https://app.safebase.io/ report@snyk.io
https://github.com/ report@snyk.io
https://github.com/ report@snyk.io
https://security.snyk.io/ report@snyk.io
https://security.snyk.io/ report@snyk.io
https://security.snyk.io/ report@snyk.io
https://security.snyk.io/ report@snyk.io
https://security.snyk.io/ report@snyk.io
https://security.snyk.io/ report@snyk.io