Gitpod OAuth Integration with Bitbucket Token Exposure Vulnerability

A vulnerability in Gitpod's OAuth integration with Bitbucket, present in versions prior to main-gha.33628 for both Gitpod Classic and Gitpod Classic Enterprise, allowed a crafted link to expose a valid Bitbucket access token via the URL fragment. This issue occurred when an authenticated user clicked the link, due to the way Bitbucket returned tokens and how Gitpod managed the redirect process. The vulnerability was limited to Bitbucket, required user interaction, and has been addressed in version main-gha.33628 and later.

Impact

Exposed Bitbucket access tokens in the URL fragment, potentially leading to unauthorized access to Bitbucket resources.

Reproduction

To reproduce this vulnerability, log into a Gitpod environment integrated with Bitbucket. Click on a link that has been crafted to include a Bitbucket access token in the URL fragment. This can be done by using a returnTo URL that is not on the allowlist for the Bitbucket integration, which will trigger the vulnerability by causing Gitpod to redirect to a URL that inherits the token fragment.

Remediation

Users can update to Gitpod version main-gha.33628 or later, where this vulnerability has been fixed.