Cross-Site WebSocket Hijacking Vulnerability in Gitpod
CVE-2023-0957

8.2HIGH

Key Information:

Vendor: Gitpod
Status: Gitpod
Vendor: CVE Published:; 3 March 2023

What is CVE-2023-0957?

An issue in Gitpod exposes users to Cross-Site WebSocket Hijacking, where attackers can establish WebSocket connections to the Gitpod JSONRPC server using victims' credentials. This vulnerability occurs due to the unrestricted Origin header, allowing unauthorized actions that can extract sensitive data from workspaces and potentially lead to a complete takeover. Users are encouraged to update to version 2022.11.2.16 or later to mitigate this risk.

Affected Version(s)

Gitpod 0 < 2022.11.2

References

https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c7...

https://github.com/gitpod-io/gitpod/releases/tag/release-...

https://github.com/gitpod-io/gitpod/pull/16378

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 3, 2023
Vulnerability Reserved
Feb 22, 2023

Credit

Elliot Ward, Snyk