On Eclipse Che up to version 7.8.x any pod running in a Kubernetes cluster is able to send unauthenticated requests to Eclipse Che Workspaces pods bypassing the JWT proxy. This implies an user can send requests to another user's machine-exec container getting access to it, bypassing the JWT proxy. For an attack be considered successful, the attacker needs to know the ip or name of targeted service and the namespace where workspaces are running. This flaw was fixed on Eclipse Che 7.9.0. https://github.com/eclipse/che/issues/15651
Acknowledgments: Name: Mario Loriedo (Red Hat)
Upstream commits for this issue: https://github.com/eclipse/che-theia/commit/ae27d4ab05396727140c9c79eaa898cee1225514 https://github.com/eclipse/che-plugin-registry/pull/378/commits/4106a306a7b5c5eae4d888a79dedd91cd848f29b
Eclipse Che uses JWTProxy to authenticate requests sent among pods from a same workspace, however a flaw was found on the way JWTProxy is used by Eclipse Che it's possible to an attacker interact with theia server from an workspace different than the one he owns. This issue is not trivial to be exploited as the attacker need high privileges in cluster-wide scope and know the IP from the container running the targeted Theia server.
This issue has been addressed in the following products: Red Hat CodeReady Workspaces 2.0 Via RHSA-2020:1475 https://access.redhat.com/errata/RHSA-2020:1475
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10689