Vulnerability Description
A flaw was found in the Eclipse Che up to version 7.8.x, where it did not properly restrict access to workspace pods. An authenticated user can exploit this flaw to bypass JWT proxy and gain access to the workspace pods of another user. Successful exploitation requires knowledge of the service name and namespace of the target pod.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Che | < 7.9.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10689Issue TrackingPatchThird Party Advisory
- https://github.com/eclipse/che/issues/15651ExploitIssue TrackingThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10689Issue TrackingPatchThird Party Advisory
- https://github.com/eclipse/che/issues/15651ExploitIssue TrackingThird Party Advisory
FAQ
What is CVE-2020-10689?
CVE-2020-10689 is a vulnerability with a CVSS score of 6.4 (MEDIUM). A flaw was found in the Eclipse Che up to version 7.8.x, where it did not properly restrict access to workspace pods. An authenticated user can exploit this flaw to bypass JWT proxy and gain access to...
How severe is CVE-2020-10689?
CVE-2020-10689 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-10689?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Che.