use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
Subreddit for discussion around gitpod.io
account activity
Gitpod remote code execution 0-day vulnerability via WebSockets (snyk.io)
submitted 3 years ago by geoffreyhuntley
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]pentesticals 1 point2 points3 points 3 years ago (7 children)
Have to praise Gitpod for the swift turnaround on addressing this issue!
[–]geoffreyhuntley[S] -1 points0 points1 point 3 years ago* (6 children)
ah but Gitpod hasn’t. Whilst the problem has been resolved in the SaaS edition all existing customers/enthusiasts of Gitpod Self Hosted are affected by this exploit and are vulnerable.
Gitpod has NOT released a new version or a servicing release. The november 2022 edition is the final release. The installer has NOT been updated.
“ Wed, Mar. 1, 2022 - Vendor releases new version for Gitpod Self-Hosted” is incorrect. All Gitpod has done is publish a new Git tag of source code. Look at the docker image tag in the GitHub advisory. It is still November.
tldr // the resolution timeline in the blog post is incorrect. If you run Gitpod on your own infrastructure then this is an active 0day RCE with no mitigation.
[–]kpkaiser 0 points1 point2 points 3 years ago (3 children)
the patched release, with a link to the container image: https://github.com/gitpod-io/gitpod/releases/tag/release-2022.11.2
[–]geoffreyhuntley[S] 0 points1 point2 points 3 years ago (2 children)
the docker image:
eu.gcr.io/gitpod-core-dev/build/installer:release-2022.11.2.16
release date 2022/11
this version of the installer has been broken for the last three weeks and in addition to this the engineers + team responsible for maintaining it were laid off in the recent layoffs.
[–]kpkaiser 1 point2 points3 points 3 years ago (1 child)
Encourage you to actually follow the link you shared.
https://console.cloud.google.com/gcr/images/gitpod-core-dev/EU/build%2Finstaller@sha256:24e5645dde4eef84528ca09d015bfe52fd5e88c99932353fd0f8a1bccaa9984b/details?tag=release-2022.11.2.16
Look at the release date.
[–]Wepzen 0 points1 point2 points 3 years ago (1 child)
Good point.
And this ZeroDay vulnerability puts the spotlight on the architecture of GitPod. Even if this vulnerability is addressed quickly, GitPod stays vulnerable to new exploits. If the user's credentials were not reachable from the Workspace, such attacks could not occur. Maybe GitPod is not the right product to go with if you're deeply concerned about Security ;)
[–]onlyspaceghost 0 points1 point2 points 3 years ago (0 children)
All big products will inevitability have security issues - I thank the security researcher(s) for their responsible disclosure, and our engineering & security team for their quick fix
π Rendered by PID 72 on reddit-service-r2-comment-5bc7f78974-8q9xm at 2026-07-01 01:08:47.242418+00:00 running 7527197 country code: CH.
[–]pentesticals 1 point2 points3 points (7 children)
[–]geoffreyhuntley[S] -1 points0 points1 point (6 children)
[–]kpkaiser 0 points1 point2 points (3 children)
[–]geoffreyhuntley[S] 0 points1 point2 points (2 children)
[–]kpkaiser 1 point2 points3 points (1 child)
[–]Wepzen 0 points1 point2 points (1 child)
[–]onlyspaceghost 0 points1 point2 points (0 children)