Trust Center

Start your security review
View & download sensitive information
Ask for information
Search items
ControlK

Welcome to Gitpod's Trust Center. Gitpod takes a central position in the software development lifecycle. As such, the security of our product is paramount; not only at runtime, but also as we build and deliver Gitpod. Use this Trust Center to learn about our security posture and request full access to our security documentation.

Amazon-company-logoAmazon
Google-company-logoGoogle
GitLab-company-logoGitLab
Dynatrace-company-logoDynatrace
EquipmentShare-company-logoEquipmentShare
Quizlet-company-logoQuizlet
Factorial-company-logoFactorial
Adaptavist-company-logoAdaptavist
A-LIGN-company-logoA-LIGN
PlexTrac-company-logoPlexTrac
Vizlib-company-logoVizlib
Shares-company-logoShares
Fleetpool-company-logoFleetpool
Evolve-company-logoEvolve
Aiven-company-logoAiven
McKinsey & Company-company-logoMcKinsey & Company
freeCodeCamp-company-logofreeCodeCamp
Astrato-company-logoAstrato
RedwoodJS-company-logoRedwoodJS

Documents

REPORTSNetwork Diagram
Trust Center Updates

Security Notifications

General
Copy link

Vulnerability Affecting Gitpod (CVE-2024-21583)

Context

On June 26th, Gitpod was notified about a vulnerability that could allow Git integration takeover through social engineering in CVE-2024-21583. Our investigation found no evidence of this vulnerability being exploited.

Remediation

The implementation of authentication cookies has been made more strict in pull request #19973.

Next Steps and Support

  • For Gitpod Cloud users: No action is required.
  • For Gitpod Enterprise users: Please install version main-gha.27122.

If you have any questions or concerns, please contact us at security@gitpod.io.

Gratitude

Thank you to Elliot Ward from Snyk for disclosing this finding.

Published at N/A*

Notice on CVE-2024-6387 (RegreSSHion Vulnerability)

Context

OpenSSH versions earlier than 4.4p1 and versions from 8.5p1 up to, but not including, 9.8p1 are vulnerable to remote code execution. For more details, please refer to the NVD entry for CVE-2024-6387 here.

Remediation

Relevant dependencies were updated on July 4th to address this vulnerability in #19994.

Next Steps and Support

  • For Gitpod Cloud users: No action is required.
  • For Gitpod Enterprise users: Please install version main-gha.27057.

If you have any questions or concerns, please contact us at security@gitpod.io.

Published at N/A*

Notice on CVE-2024-3094

We wish to inform you that our team has conducted a thorough investigation regarding a reported vulnerability in the upstream tarballs of xz, identified from version 5.6.0 onwards, which was found to potentially lead to a remote code execution issue (CVE-2024-3094). We are pleased to confirm that Gitpod's infrastructure and services remain secure and unaffected by this vulnerability. Consequently, we assure you that there is no need for any action on your part related to this matter.

Published at N/A*

Vulnerability Affecting Gitpod Cloud

Context

We were notified about a vulnerability, which could allow account takeover on Gitpod Cloud (Gitpod Dedicated is not affected) through social engineering. Our investigation did not find any exploitation of this vulnerability. As part of our mitigation efforts we have updated the affected implementation, invalidated all user sessions in Gitpod Cloud and recommend you to rotate your authorization with Github, Gitlab and/or Bitbucket.

Notification date: February 17, 2024. Remediation date: February 21, 2024

Your action required

Gitpod Dedicated customers

No action required.

Gitpod Cloud customers

For your security, we will require you to sign in to your account again. Additionally, we recommend updating your authorization credentials with Github, Gitlab, and Bitbucket. This can be easily done by navigating to your authorized applications section through the links provided below. Once there, find the Gitpod application and select “revoke” to refresh your authorization.

For Gitlab specifically, also go to https://gitpod.io/user/integrations and click on "disconnect provider".

Remediation

  • Upon receiving a notification, the Gitpod team conducted a investigation into the GitHub OAuth redirection URL implementation and workflow for both Gitpod Cloud and Dedicated services.
  • Our findings indicated a theoretical risk where an attacker could potentially compromise a user's session in Gitpod Cloud through a malicious workspace, relying on social engineering tactics to persuade the victim into clicking a link.
  • In response to this discovery and with an abundance of caution, we updated the redirection URL implementation and workflow and proactively invalidated all user sessions in Gitpod Cloud to prevent any possible unauthorized access.
  • Furthermore, we have undertaken a comprehensive technical post-mortem to ensure the security of our platform against similar threats in the future.

Impact

Our investigation did not find any exploitation of this vulnerability in either Gitpod Cloud or Gitpod Dedicated. For good practice we recommend that you rotate your authorization with Github, Gitlab and/or Bitbucket as outlined above.

Next steps and support

If you are using Gitpod Cloud ,for good practice we recommend that you rotate your authorization with Github, Gitlab and/or Bitbucket as outlined above.

If you have questions or concerns, please reach out to security@gitpod.io.

Gratitude:

Thank you to Philip Papurt from Cure53 and Daniel Lu from Zellic for disclosing this finding.

Published at N/A*

Security Incident affecting Gitpod Cloud

Context

  • On October 19th, we were notified of a security incident exclusively affecting logins on Gitpod Cloud (gitpod.io), wherein a subset of users were erroneously authenticated into a singular, distinct account.
  • The duration of the incident spanned 17 minutes, from 12:07:02 UTC to 12:24:00 UTC.
  • The exposure was strictly limited to the personal information of one unique user. We notified the impacted user within three hours of the incident.
  • Notably, no sensitive data such as security tokens, environment variables, or any data linked to private repositories were compromised.

Remediation

  • Immediately upon notification, Gitpod reverted to the previous release within 17 minutes to prevent further exposure.
  • Our investigation revealed a technical glitch within Gitpod’s authentication logic, resulting in the impersonation of a singular, distinct account.
  • To eliminate unauthorized account access, user sessions were invalidated. Consequently, all Gitpod Cloud users were mandated to re-authenticate.
  • A thorough technical post-mortem was conducted on October 20th to prevent such occurrences in the future. Enhanced operational and development practices, including augmented test coverage and a more rigorous review process for authentication-related code, will be implemented going forward.

Impact

  • This incident remained isolated to Gitpod Cloud and did not affect Gitpod Dedicated.
  • The scope was strictly confined to the personal information of a singular, distinct user on Gitpod Cloud. There was no compromise of sensitive data such as security tokens, environment variables, or any data associated with private repositories.
  • Importantly, no data pertaining to any other users was impacted during this incident.

If you have not been notified separately, your account and its data was not affected by this incident, thus there is no action for you to take.

If you have questions or concerns contact security@gitpod.io.

Published at N/A*

Vulnerability affecting Gitpod

Context:

Gitpod has been notified of a cross-site-scripting vulnerability (CVE-2023-32766).

Remediation:

Gitpod has remediated this vulnerability by allowing redirects only for trusted protocols (see #17559).

Gratitude:

Thank you to RyotaK from Flatt Security for disclosing these findings.

Published at N/A*

Vulnerability affecting Gitpod

Context:

Gitpod been notified of a vulnerability that may lead to a takeover of shared workspaces (CVE-2023-0957)

Remediation:

Gitpod has remediated this vulnerability by allowing websocket connections to be made from base domains only (see #16378 and #16405).

Gratitude:

Thank you to Elliot Ward from Snyk for disclosing these findings.

Published at N/A*

Notice on OpenSSL Vulnerabilities

Context:

On November 1st, 2022 the OpenSSL Project patched two buffer overflow vulnerabilities (CVE-2022-3786; CVE-2022-3602). Under certain circumstances, an exploit could have resulted into an application crash (denial of service) or potential remote code execution.

Remediation:

We have updated all our container images to include the latest OpenSSL version #14333.

Published at N/A*

If you think you may have discovered a vulnerability, please send us a note.

Report Issue
Powered bySafeBase Logo