CVE-2024-21583
📋 TL;DR
This vulnerability allows cookie tossing attacks where an attacker controlling a subdomain can set the _gitpod_io_jwt2_ session cookie on the Gitpod control plane. This enables session hijacking where victim actions (like connecting GitHub organizations) are performed under the attacker's session. Affects Gitpod users running vulnerable versions of multiple Gitpod components.
💻 Affected Systems
- Gitpod Server
- Gitpod WS-Proxy
- Gitpod Auth Component
- Gitpod Public API Server
- Gitpod Installer Components
- @gitpod/gitpod-protocol
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains unauthorized access to victim's Gitpod workspace, can connect attacker-controlled GitHub organizations, potentially leading to code theft, repository compromise, or supply chain attacks.
Likely Case
Session hijacking allowing attacker to perform actions in victim's Gitpod session, potentially connecting malicious GitHub organizations or accessing workspace resources.
If Mitigated
Limited impact with proper subdomain controls and network segmentation; attacker would need control of legitimate subdomain.
🎯 Exploit Status
Exploitation requires attacker to control a subdomain of the Gitpod deployment domain; no public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: main-gha.27122 or later
Vendor Advisory: https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155
Restart Required: Yes
Instructions:
1. Update all affected Gitpod components to version main-gha.27122 or later. 2. Apply the fix commit da1053e1013f27a56e6d3533aa251dbd241d0155. 3. Restart Gitpod services. 4. Verify cookie now has __Host- prefix.
🔧 Temporary Workarounds
Subdomain Restriction
allRestrict control of subdomains to prevent attackers from setting cookies
Cookie Validation
allImplement server-side validation of cookie origins
🧯 If You Can't Patch
- Monitor and restrict subdomain creation/control in your environment
- Implement network segmentation to isolate Gitpod control plane from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if _gitpod_io_jwt2_ cookie lacks __Host- prefix in browser developer tools or HTTP responsesCheck Version:
Check Gitpod component versions against main-gha.27122Verify Fix Applied:
Verify _gitpod_io_jwt2_ cookie now has __Host- prefix and Secure/HttpOnly flags📡 Detection & Monitoring
Log Indicators:
- Unusual cookie setting from subdomains
- Multiple session cookies with same name
Network Indicators:
- Cookie manipulation attempts from subdomains
SIEM Query:
Search for cookie: _gitpod_io_jwt2_ without __Host- prefix in web logs🔗 References
- https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=%5B%E2%80%A6%5D942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d
- https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155
- https://github.com/gitpod-io/gitpod/pull/19973
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078
- https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079
- https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=%5B%E2%80%A6%5D942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d
- https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155
- https://github.com/gitpod-io/gitpod/pull/19973
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078
- https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079
