There's an issue with Eclipse Che, impacting on CodeReady Workspaces. When configured with Cookies authentication, Theia IDE doesn't properly set SameSite value allowing CSRF and consequently allowing cross-site websocket hijack on Theia IDE. An attacker may leverage this weakness to gain full-access to the victim's workspace through the /services endpoint. The an attack be successfully performed the attacker needs to perform a MITM and tricks the victim to execute a request via an untrusted link which performs the CSRF and the Socket hijack itself.
Acknowledgments: Name: Robin Duda
If fixed in https://github.com/eclipse/che-theia/commit/f9409ac45f977bfb745520f5826c18d41024ebcd (or any of the commits linked from here from May/June 2020) then the fixversion here should be set to: Che 7.14 == CRW 2.2 [mappings can be seen here: https://issues.redhat.com/projects/CRW?selectedItem=com.atlassian.jira.jira-projects-plugin:release-page&status=released-unreleased ] Since we're currently on CRW 2.5, with 2.4 released last week, it seems like this issue can be closed.
This issue (for CodeReady Workspaces) was fixed in CRW 2.2 in Aug 2020. See https://issues.redhat.com/browse/CRW-1176. I would be surprised if INTLY is still impacted too, as I'd expect they're using our latest 2.5.0 or 2.5.1 release.