Miggo Logo
Miggo Vulnerability Database
CVE-2023-32766

CVE-2023-32766: Gitpod vulnerable to Cross-site Scripting

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-32766
GHSA ID
GHSA-gqx9-h3w2-fprg
EPSS Score
0.344%
CWE
CWE-79
Published
6/5/2023
Updated
11/9/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/gitpod-io/gitpodgo< 2022.11.32022.11.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper protocol validation in the redirect logic. The pre-patch code in service.tsx checked if the protocol was NOT http/https to allow redirects, which inadvertently permitted XSS vectors. The patch introduced a strict allowlist (vscode:, vscode-insiders:, jetbrains-gateway:), confirming the original vulnerability existed in this protocol check function. The code modification directly addresses the XSS vulnerability by restricting allowed protocols.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*itpo* ***or* ****.**.* *llows XSS ****us* r**ir**tion **n o**ur *or som* proto*ols outsi** o* t** trust** s*t o* t*r** (vs*o**: vs*o**-insi**rs: j*t*r*ins-**t*w*y:).

Reasoning

T** vuln*r**ility st*mm** *rom improp*r proto*ol v*li**tion in t** r**ir**t lo*i*. T** pr*-p*t** *o** in `s*rvi**.tsx` ****k** i* t** proto*ol w*s NOT `*ttp/*ttps` to *llow r**ir**ts, w*i** in**v*rt*ntly p*rmitt** XSS v**tors. T** p*t** intro*u*** *