CVE-2020-10689

low-risk
Published 2020-04-03

A flaw was found in the Eclipse Che up to version 7.8.x, where it did not properly restrict access to workspace pods. An authenticated user can exploit this flaw to bypass JWT proxy and gain access to the workspace pods of another user. Successful exploitation requires knowledge of the service name and namespace of the target pod.

Do I need to act?

-
0.08% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.4/10 Medium
ADJACENT_NETWORK / HIGH complexity

Affected Products (1)

Che

Affected Vendors

Eclipse

References (4)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10689
Exploit https://github.com/eclipse/che/issues/15651
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10689
Exploit https://github.com/eclipse/che/issues/15651
22
/ 100
low-risk
Severity 17/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal