Cookie Tossing Affecting github.com/gitpod-io/gitpod/components/server/go/pkg/lib package, versions <main-gha.27122
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.04% (15th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074
- published 18 Jul 2024
- disclosed 15 Jul 2024
- credit Elliot Ward (Snyk Security Research)
Introduced: 15 Jul 2024
CVE-2024-21583 Open this link in a new tabHow to fix?
Upgrade github.com/gitpod-io/gitpod/components/server/go/pkg/lib
to version main-gha.27122 or higher.
Overview
Affected versions of this package are vulnerable to Cookie Tossing due to a missing __Host-
prefix on the _gitpod_io_jwt2_
session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JWT so that specific actions taken by the victim (such as connecting a new Github organization) are actioned by the attackers session.