Bug 1823892 (CVE-2020-14368) - CVE-2020-14368 eclipse che: cross-site websocket hijack of service endpoint
Summary: CVE-2020-14368 eclipse che: cross-site websocket hijack of service endpoint
Keywords:
Status: NEW
Alias: CVE-2020-14368
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1860080
Blocks: 1822258
TreeView+ depends on / blocked
 
Reported: 2020-04-14 18:13 UTC by Siddharth Sharma
Modified: 2021-02-16 20:16 UTC (History)
9 users (show)

See Also:
Fixed In Version: che-theia 7.14.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Eclipse Che that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery (CSRF) and consequently allowing a cross-site WebSocket hijack on Theia IDE. This flaw allows an attacker to gain full access to the victim's workspace through the /services endpoint. To perform a successful attack, the attacker conducts a Man-in-the-middle attack (MITM) and tricks the victim into executing a request via an untrusted link, which performs the CSRF and the Socket hijack. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Siddharth Sharma 2020-04-14 18:13:35 UTC
There's an issue with Eclipse Che, impacting on CodeReady Workspaces. When configured with Cookies authentication, Theia IDE doesn't properly set SameSite value allowing CSRF and consequently allowing cross-site websocket hijack on Theia IDE. An attacker may leverage this weakness to gain full-access to the victim's workspace through the /services endpoint. The an attack be successfully performed the attacker needs to perform a MITM and tricks the victim to execute a request via an untrusted link which performs the CSRF and the Socket hijack itself.

Comment 7 Dhananjay Arunesh 2020-09-02 04:45:24 UTC
Acknowledgments:

Name: Robin Duda

Comment 9 Marco Benatto 2020-10-05 14:50:35 UTC
There's an issue with Eclipse Che, impacting on CodeReady Workspaces. When configured with Cookies authentication, Theia IDE doesn't properly set SameSite value allowing CSRF and consequently allowing cross-site websocket hijack on Theia IDE. An attacker may leverage this weakness to gain full-access to the victim's workspace through the /services endpoint. The an attack be successfully performed the attacker needs to perform a MITM and tricks the victim to execute a request via an untrusted link which performs the CSRF and the Socket hijack itself.

Comment 11 Nick Boldt 2020-10-05 17:59:07 UTC
If fixed in https://github.com/eclipse/che-theia/commit/f9409ac45f977bfb745520f5826c18d41024ebcd (or any of the commits linked from here from May/June 2020) then the fixversion here should be set to:

Che 7.14 == CRW 2.2 [mappings can be seen here: https://issues.redhat.com/projects/CRW?selectedItem=com.atlassian.jira.jira-projects-plugin:release-page&status=released-unreleased ]

Since we're currently on CRW 2.5, with 2.4 released last week, it seems like this issue can be closed.

Comment 13 Nick Boldt 2020-12-07 17:03:57 UTC
This issue (for CodeReady Workspaces) was fixed in CRW 2.2 in Aug 2020. See https://issues.redhat.com/browse/CRW-1176.

I would be surprised if INTLY is still impacted too, as I'd expect they're using our latest 2.5.0 or 2.5.1 release.


Note You need to log in before you can comment on or make changes to this bug.