Welcome to Gitpod's Trust Center. Gitpod takes a central position in the software development lifecycle. As such, the security of our product is paramount; not only at runtime, but also as we build and deliver Gitpod. Use this Trust Center to learn about our security posture and request full access to our security documentation.
Documents
Vulnerability Affecting Gitpod (CVE-2024-21583)
Context
On June 26th, Gitpod was notified about a vulnerability that could allow Git integration takeover through social engineering in CVE-2024-21583. Our investigation found no evidence of this vulnerability being exploited.
Remediation
The implementation of authentication cookies has been made more strict in pull request #19973.
Next Steps and Support
- For Gitpod Cloud users: No action is required.
- For Gitpod Enterprise users: Please install version main-gha.27122.
If you have any questions or concerns, please contact us at security@gitpod.io.
Gratitude
Thank you to Elliot Ward from Snyk for disclosing this finding.
Notice on CVE-2024-6387 (RegreSSHion Vulnerability)
Context
OpenSSH versions earlier than 4.4p1 and versions from 8.5p1 up to, but not including, 9.8p1 are vulnerable to remote code execution. For more details, please refer to the NVD entry for CVE-2024-6387 here.
Remediation
Relevant dependencies were updated on July 4th to address this vulnerability in #19994.
Next Steps and Support
- For Gitpod Cloud users: No action is required.
- For Gitpod Enterprise users: Please install version main-gha.27057.
If you have any questions or concerns, please contact us at security@gitpod.io.
Notice on CVE-2024-3094
We wish to inform you that our team has conducted a thorough investigation regarding a reported vulnerability in the upstream tarballs of xz, identified from version 5.6.0 onwards, which was found to potentially lead to a remote code execution issue (CVE-2024-3094). We are pleased to confirm that Gitpod's infrastructure and services remain secure and unaffected by this vulnerability. Consequently, we assure you that there is no need for any action on your part related to this matter.
Vulnerability Affecting Gitpod Cloud
Context
We were notified about a vulnerability, which could allow account takeover on Gitpod Cloud (Gitpod Dedicated is not affected) through social engineering. Our investigation did not find any exploitation of this vulnerability. As part of our mitigation efforts we have updated the affected implementation, invalidated all user sessions in Gitpod Cloud and recommend you to rotate your authorization with Github, Gitlab and/or Bitbucket.
Notification date: February 17, 2024. Remediation date: February 21, 2024
Your action required
Gitpod Dedicated customers
No action required.
Gitpod Cloud customers
For your security, we will require you to sign in to your account again. Additionally, we recommend updating your authorization credentials with Github, Gitlab, and Bitbucket. This can be easily done by navigating to your authorized applications section through the links provided below. Once there, find the Gitpod application and select “revoke” to refresh your authorization.
- Github: https://github.com/settings/applications
- Gitlab: https://gitlab.com/-/user_settings/applications
- Bitbucket: https://bitbucket.org/account/settings/app-authorizations/
For Gitlab specifically, also go to https://gitpod.io/user/integrations and click on "disconnect provider".
Remediation
- Upon receiving a notification, the Gitpod team conducted a investigation into the GitHub OAuth redirection URL implementation and workflow for both Gitpod Cloud and Dedicated services.
- Our findings indicated a theoretical risk where an attacker could potentially compromise a user's session in Gitpod Cloud through a malicious workspace, relying on social engineering tactics to persuade the victim into clicking a link.
- In response to this discovery and with an abundance of caution, we updated the redirection URL implementation and workflow and proactively invalidated all user sessions in Gitpod Cloud to prevent any possible unauthorized access.
- Furthermore, we have undertaken a comprehensive technical post-mortem to ensure the security of our platform against similar threats in the future.
Impact
Our investigation did not find any exploitation of this vulnerability in either Gitpod Cloud or Gitpod Dedicated. For good practice we recommend that you rotate your authorization with Github, Gitlab and/or Bitbucket as outlined above.
Next steps and support
If you are using Gitpod Cloud ,for good practice we recommend that you rotate your authorization with Github, Gitlab and/or Bitbucket as outlined above.
If you have questions or concerns, please reach out to security@gitpod.io.
Gratitude:
Thank you to Philip Papurt from Cure53 and Daniel Lu from Zellic for disclosing this finding.
Security Incident affecting Gitpod Cloud
Context
- On October 19th, we were notified of a security incident exclusively affecting logins on Gitpod Cloud (gitpod.io), wherein a subset of users were erroneously authenticated into a singular, distinct account.
- The duration of the incident spanned 17 minutes, from 12:07:02 UTC to 12:24:00 UTC.
- The exposure was strictly limited to the personal information of one unique user. We notified the impacted user within three hours of the incident.
- Notably, no sensitive data such as security tokens, environment variables, or any data linked to private repositories were compromised.
Remediation
- Immediately upon notification, Gitpod reverted to the previous release within 17 minutes to prevent further exposure.
- Our investigation revealed a technical glitch within Gitpod’s authentication logic, resulting in the impersonation of a singular, distinct account.
- To eliminate unauthorized account access, user sessions were invalidated. Consequently, all Gitpod Cloud users were mandated to re-authenticate.
- A thorough technical post-mortem was conducted on October 20th to prevent such occurrences in the future. Enhanced operational and development practices, including augmented test coverage and a more rigorous review process for authentication-related code, will be implemented going forward.
Impact
- This incident remained isolated to Gitpod Cloud and did not affect Gitpod Dedicated.
- The scope was strictly confined to the personal information of a singular, distinct user on Gitpod Cloud. There was no compromise of sensitive data such as security tokens, environment variables, or any data associated with private repositories.
- Importantly, no data pertaining to any other users was impacted during this incident.
If you have not been notified separately, your account and its data was not affected by this incident, thus there is no action for you to take.
If you have questions or concerns contact security@gitpod.io.
Vulnerability affecting Gitpod
Context:
Gitpod has been notified of a cross-site-scripting vulnerability (CVE-2023-32766).
Remediation:
Gitpod has remediated this vulnerability by allowing redirects only for trusted protocols (see #17559).
- If you are a user of gitpod.io, there are no action items.
- If you are a user of Gitpod self-hosted, we recommend updating to version 2022.11.3 through this URL: https://github.com/gitpod-io/gitpod/releases/tag/2022.11.3
Gratitude:
Thank you to RyotaK from Flatt Security for disclosing these findings.
Vulnerability affecting Gitpod
Context:
Gitpod been notified of a vulnerability that may lead to a takeover of shared workspaces (CVE-2023-0957)
Remediation:
Gitpod has remediated this vulnerability by allowing websocket connections to be made from base domains only (see #16378 and #16405).
-
If you are a user of gitpod.io, there are no action items.
-
If you are a user of Gitpod self-hosted, we recommend updating to version 2022.11.2 through this URL: https://github.com/gitpod-io/gitpod/releases/tag/release-2022.11.2
Gratitude:
Thank you to Elliot Ward from Snyk for disclosing these findings.
Notice on OpenSSL Vulnerabilities
Context:
On November 1st, 2022 the OpenSSL Project patched two buffer overflow vulnerabilities (CVE-2022-3786; CVE-2022-3602). Under certain circumstances, an exploit could have resulted into an application crash (denial of service) or potential remote code execution.
Remediation:
We have updated all our container images to include the latest OpenSSL version #14333.
If you think you may have discovered a vulnerability, please send us a note.