[che-dev] Che first CVE

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[che-dev] Che first CVE

From: Mario Loriedo <mario.loriedo@xxxxxxxxx>
Date: Thu, 19 Dec 2019 22:53:32 +0100
Delivered-to: che-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/che-dev>
List-help: <mailto:che-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/che-dev>, <mailto:che-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/che-dev>, <mailto:che-dev-request@eclipse.org?subject=unsubscribe>

Hi all,

A few weeks ago we have been contacted by Michael Grube from the University of Michigan Medicine for a security vulnerability. A few days after we have released a fix that has been merged on releases 7.3.1 and 7.4.0. The vulnerability has been disclosed today.

Although it affected only insecured Che instances (with authentication and TLS both disabled) the vulnerability made it possible for a malicious website to send requests to the local Che server API if a user opened it in his browser.

This vulnerability doesn't affect CodeReady Workspaces because single user is not supported in this case.

Details are available on the CVE list [1].

Mario

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17633

Prev by Date: Re: [che-dev] Fwd: [StackOverflow] che.openshift.io - Run the terminal of as SUDO
Next by Date: [che-dev] PMC Approval required for Committer Election for Joshua Pinkney on Eclipse Che
Previous by thread: [che-dev] Fwd: [StackOverflow] che.openshift.io - Run the terminal of as SUDO
Next by thread: [che-dev] PMC Approval required for Committer Election for Joshua Pinkney on Eclipse Che
Index(es):
- Date
- Thread

Breadcrumbs