CVE-2020-14368 Information

Description

A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication Theia IDE doesn’t properly set the SameSite value allowing a Cross-Site Request Forgery (CSRF) and consequently allowing a cross-site WebSocket hijack on Theia IDE. This flaw allows an attacker to gain full access to the victim’s workspace through the /services endpoint. To perform a successful attack the attacker conducts a Man-in-the-middle attack (MITM) and tricks the victim into executing a request via an untrusted link which performs the CSRF and the Socket hijack. The highest threat from this vulnerability is to confidentiality integrity as well as system availability.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Reference

https://bugzilla.redhat.com/show_bug.cgi?id=1823892

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.1