Versions of the package github.com/gitpod-io/gitpod/components/server/go/pkg/lib before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/auth before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/server before main-gha.27122; versions of the package @gitpod/gitpod-protocol before 0.1.5-main-gha.27122 are vulnerable to Cookie Tossing due to a missing __Host- prefix on the _gitpod_io_jwt2_ session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JWT so that specific actions taken by the victim (such as connecting a new Github organization) are actioned by the attackers session.
Metrics
Affected Vendors & Products
References
History
Thu, 31 Oct 2024 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-565 | |
Metrics |
ssvc
|
MITRE
Status: PUBLISHED
Assigner: snyk
Published: 2024-07-19T05:00:01.569Z
Updated: 2024-10-31T13:52:00.420Z
Reserved: 2023-12-22T12:33:20.132Z
Link: CVE-2024-21583
Vulnrichment
Updated: 2024-08-01T22:27:34.499Z
NVD
Status : Awaiting Analysis
Published: 2024-07-19T05:15:10.373
Modified: 2024-11-21T08:54:39.443
Link: CVE-2024-21583
Redhat
No data.