x/vulndb: potential Go vuln in github.com/gitpod-io/gitpod: CVE-2023-0957

[GoVulnBot]

CVE-2023-0957 references github.com/gitpod-io/gitpod, which may be a Go module.

Description:
An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim’s credentials, because the Origin header is not restricted. This can lead to the extraction of data from workspaces, to a full takeover of the workspace.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-0957
• JSON: https://github.com/CVEProject/cvelist/tree/a2a0f78edb8b5244d2e9e712198b298bd4f2d514/2023/0xxx/CVE-2023-0957.json
• web: https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=default&orgId=71ccd717-aa2d-4a1e-942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d
• web: https://github.com/gitpod-io/gitpod/releases/tag/release-2022.11.2
• fix: [server] strict same site origin for /api/gitpod endpoint gitpod-io/gitpod#16378
• fix: [public-api-server] Forward Origin header where provided gitpod-io/gitpod#16405
• fix: gitpod-io/gitpod@1295698
• fix: gitpod-io/gitpod@673ab68
• web: https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/
• Imported by: https://pkg.go.dev/github.com/gitpod-io/gitpod?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/gitpod-io/gitpod
    packages:
      - package: Gitpod
description: |
    An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim’s credentials, because the Origin header is not restricted. This can lead to the extraction of data from workspaces, to a full takeover of the workspace.
cves:
  - CVE-2023-0957
references:
  - web: https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=default&orgId=71ccd717-aa2d-4a1e-942e-c768d37e9e0c&tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d
  - web: https://github.com/gitpod-io/gitpod/releases/tag/release-2022.11.2
  - fix: https://github.com/gitpod-io/gitpod/pull/16378
  - fix: https://github.com/gitpod-io/gitpod/pull/16405
  - fix: https://github.com/gitpod-io/gitpod/commit/12956988eec0031f42ffdfa3bdc3359f65628f9f
  - fix: https://github.com/gitpod-io/gitpod/commit/673ab6856fa04c13b7b1f2a968e4d090f1d94e4f
  - web: https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/

[gopherbot]

Change https://go.dev/cl/473355 mentions this issue: data/excluded: batch add GO-2023-1605

[gopherbot]

Change https://go.dev/cl/592759 mentions this issue: data/reports: unexclude 75 reports