Headline
CVE-2020-10689: pods in kubernetes cluster can bypass JWT proxy and send unauthenticated requests to workspace pods
A flaw was found in the Eclipse Che up to version 7.8.x, where it did not properly restrict access to workspace pods. An authenticated user can exploit this flaw to bypass JWT proxy and gain access to the workspace pods of another user. Successful exploitation requires knowledge of the service name and namespace of the target pod.
Description Marco Benatto 2020-03-24 18:04:12 UTC
On Eclipse Che up to version 7.8.x any pod running in a Kubernetes cluster is able to send unauthenticated requests to Eclipse Che Workspaces pods bypassing the JWT proxy. This implies an user can send requests to another user’s machine-exec container getting access to it, bypassing the JWT proxy.
For an attack be considered successful, the attacker needs to know the ip or name of targeted service and the namespace where workspaces are running. This flaw was fixed on Eclipse Che 7.9.0.
https://github.com/eclipse/che/issues/15651
Comment 4 Marco Benatto 2020-03-30 20:47:42 UTC
Acknowledgments:
Name: Mario Loriedo (Red Hat)
Comment 6 Marco Benatto 2020-04-01 15:09:05 UTC
Eclipse Che uses JWTProxy to authenticate requests sent among pods from a same workspace, however a flaw was found on the way JWTProxy is used by Eclipse Che it’s possible to an attacker interact with theia server from an workspace different than the one he owns. This issue is not trivial to be exploited as the attacker need high privileges in cluster-wide scope and know the IP from the container running the targeted Theia server.