VYPR
Critical severity10.0NVD Advisory· Published Aug 12, 2020· Updated Jun 17, 2026

CVE-2020-5415

CVE-2020-5415

Description

Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/concourse/concourseGo
>= 6.4.0, < 6.4.16.4.1
github.com/concourse/concourseGo
>= 1.6.1, < 6.3.16.3.1
github.com/concourse/dexGo
>= 6.4.0, < 6.4.16.4.1
github.com/concourse/dexGo
>= 0.0.0, < 6.3.16.3.1
github.com/concourse/dexGo
< 0.0.0-20200730150203-821b48abfd880.0.0-20200730150203-821b48abfd88
github.com/concourse/concourseGo
< 0.0.0-20200730151558-b00d1c8d85760.0.0-20200730151558-b00d1c8d8576
github.com/concourse/concourseGo
>= 0.0.0, < 1.6.1-0.20200730151558-b00d1c8d85761.6.1-0.20200730151558-b00d1c8d8576

Affected products

4

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.