Arbitrary Workspace Launch in Eclipse Che by Malicious Webpages
CVE-2019-17633

8.8HIGH

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Che
Vendor: CVE Published:; 19 December 2019

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2019-17633?

Eclipse Che versions 6.16 to 7.3.0 are vulnerable to an issue where, with both authentication and TLS disabled, a user could inadvertently initiate an arbitrary workspace by visiting a malicious website. While such configurations are rarely deployed on public networks, they can be found in local installations, like on personal laptops. In these cases, even if the Che API is not exposed, local browser scripts could send unauthorized requests, leading to possible exploitation.

Affected Version(s)

Eclipse Che 6.16.0 to 7.3.0 inclusive

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2019-17633
Created by mgrube

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=551596

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

🟡
Public PoC available
Dec 19, 2019
👾
Exploit known to exist
Dec 19, 2019
Vulnerability published
Dec 19, 2019
Vulnerability Reserved
Oct 16, 2019

Credit

This vulnerability was discovered by Michael Grube

The Eclipse Foundation

Badges

What is CVE-2019-17633?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V3.1

Timeline

Credit