BIT-concourse-2020-5415

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/concourse/BIT-concourse-2020-5415.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-concourse-2020-5415
Aliases
Published
2024-03-06T10:51:03.790Z
Modified
2025-05-20T10:02:07.006Z
Summary
Concourse's GitLab auth allows impersonation
Details

Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.

Database specific
{
    "severity": "Critical",
    "cpes": [
        "cpe:2.3:a:pivotal_software:concourse:*:*:*:*:*:*:*:*"
    ]
}
References

Affected packages

Bitnami / concourse

Package

Name
concourse
Purl
pkg:bitnami/concourse

Severity

  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.3.1
Introduced
6.4.0
Fixed
6.4.1