For Eclipse Che versions 6.16 to 7.3.0, with both authentication and TLS disabled, visiting a malicious web site could trigger the start of an arbitrary Che workspace. Che with no authentication and no TLS is not usually deployed on a public network but is often used for local installations (e.g. on personal laptops). In that case, even if the Che API is not exposed externally, some javascript running in the local browser is able to send requests to it.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published: 2019-12-19T17:05:12

Updated: 2024-08-05T01:47:13.494Z

Reserved: 2019-10-16T00:00:00

Link: CVE-2019-17633

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2019-12-19T17:15:12.293

Modified: 2019-12-27T18:42:47.767

Link: CVE-2019-17633

cve-icon Redhat

No data.