4.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-21583

GHSA ID

GHSA-8pgc-65mj-53h5

EPSS Score

0.29695%

CWE

CWE-15

Published

7/19/2024

Updated

10/31/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-21583

CVE-2024-21583: github.com/gitpod-io/gitpod vulnerable to Cookie Tossing

Versions of the package github.com/gitpod-io/gitpod/components/server/go/pkg/lib before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/auth before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/server before main-gha.27122; versions of the package @gitpod/gitpod-protocol before 0.1.5-main-gha.27122 are vulnerable to Cookie Tossing due to a missing __Host- prefix on the gitpod_io_jwt2 session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JWT so that specific actions taken by the victim (such as connecting a new Github organization) are actioned by the attackers session.

(GitHub Advisory)

4.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-21583

GHSA ID

GHSA-8pgc-65mj-53h5

EPSS Score

0.29695%

CWE

CWE-15

Published

7/19/2024

Updated

10/31/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/gitpod-io/gitpod	go	<= 0.8.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing __Host- prefix in cookie names. The CookieNameFromDomain function was directly responsible for generating insecure cookie names (evidenced by pre-patch code returning '_'+derived+'jwt2'). The commit da1053e explicitly fixes this by adding the __Host- prefix. This function's output directly controlled the cookie's security attributes, making it the root cause of the cookie tossing vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** *it*u*.*om/*itpo*-io/*itpo*/*ompon*nts/s*rv*r/*o/pk*/li* ***or* m*in-***.*****; v*rsions o* t** p**k*** *it*u*.*om/*itpo*-io/*itpo*/*ompon*nts/ws-proxy/pk*/proxy ***or* m*in-***.*****; v*rsions o* t** p**k*** *it*u*.*om/*itpo*

Reasoning

T** vuln*r**ility st*ms *rom missin* __*ost- pr**ix in *ooki* n*m*s. T** *ooki*N*m**rom*om*in *un*tion w*s *ir**tly r*sponsi*l* *or **n*r*tin* ins**ur* *ooki* n*m*s (*vi**n*** *y pr*-p*t** *o** r*turnin* '_'+**riv**+'_jwt*_'). T** *ommit ******* *xpl

4.1

Basic Information

Concerned about an active attack path?

CVE-2024-21583: github.com/gitpod-io/gitpod vulnerable to Cookie Tossing

4.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI