High severityNVD Advisory· Published Aug 12, 2020· Updated Sep 16, 2024

Concourse's GitLab auth allows impersonation

CVE-2020-5415

Description

Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/concourse/concourseGo	>= 6.4.0, < 6.4.1	6.4.1
github.com/concourse/concourseGo	>= 1.6.1, < 6.3.1	6.3.1
github.com/concourse/dexGo	>= 6.4.0, < 6.4.1	6.4.1
github.com/concourse/dexGo	>= 0.0.0, < 6.3.1	6.3.1
github.com/concourse/dexGo	< 0.0.0-20200730150203-821b48abfd88	0.0.0-20200730150203-821b48abfd88
github.com/concourse/concourseGo	< 0.0.0-20200730151558-b00d1c8d8576	0.0.0-20200730151558-b00d1c8d8576
github.com/concourse/concourseGo	>= 0.0.0, < 1.6.1-0.20200730151558-b00d1c8d8576	1.6.1-0.20200730151558-b00d1c8d8576

Affected products

VMware Tanzu/Concoursev5
Range: 6.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-627p-rr78-99rjghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-5415ghsaADVISORY
github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rjghsax_refsource_CONFIRMWEB
tanzu.vmware.com/security/cve-2020-5415ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000