Unrated severityNVD Advisory· Published Mar 3, 2023· Updated Mar 5, 2025
CVE-2023-0957
CVE-2023-0957
Description
An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim’s credentials, because the Origin header is not restricted. This can lead to the extraction of data from workspaces, to a full takeover of the workspace.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Gitpod/Gitpodv5Range: 0
Patches
Vulnerability mechanics
References
7- app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/previewmitre
- github.com/gitpod-io/gitpod/commit/12956988eec0031f42ffdfa3bdc3359f65628f9fmitre
- github.com/gitpod-io/gitpod/commit/673ab6856fa04c13b7b1f2a968e4d090f1d94e4fmitre
- github.com/gitpod-io/gitpod/pull/16378mitre
- github.com/gitpod-io/gitpod/pull/16405mitre
- github.com/gitpod-io/gitpod/releases/tag/release-2022.11.2mitre
- snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/mitre
News mentions
0No linked articles in our index yet.