Published: 14/12/2020 Updated: 04/01/2021

CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9

CVSS v3 Base Score: 7.1 | Impact Score: 5.9 | Exploitability Score: 1.2

VMScore: 409

Vector: AV:N/AC:H/Au:S/C:P/I:P/A:P

A flaw was found in Eclipse Che in versions before 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery (CSRF) and consequently allowing a cross-site WebSocket hijack on Theia IDE. This flaw allows an malicious user to gain full access to the victim's workspace through the /services endpoint. To perform a successful attack, the attacker conducts a Man-in-the-middle attack (MITM) and tricks the victim into executing a request via an untrusted link, which performs the CSRF and the Socket hijack. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Vulnerable Product	Search on Vulmon	Subscribe to Product
eclipse che

Interactive RCE exploit demo for Eclipse CHE

CSWSH-THEIA-CVE-2020-14368 Report target: Eclipse CHE deployment available on cheopenshiftio Vulnerability type: Cross-site websocket hijack Discovery date: 2020-04-08 Author: Robin Duda (codingchili@github) Summary The /services websocket endpoint in Eclipse CHE adn Theia is vulnerable to cross-site websocket hijacking This vulnerability affects Eclipse CHE servers that u

CWE-352 https://bugzilla.redhat.com/show_bug.cgi?id=1823892 https://nvd.nist.gov https://github.com/codingchili/CVE-2020-14368

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2020-14368

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect