Critical severity10.0NVD Advisory· Published Aug 12, 2020· Updated Jun 17, 2026
CVE-2020-5415
CVE-2020-5415
Description
Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/concourse/concourseGo | >= 6.4.0, < 6.4.1 | 6.4.1 |
github.com/concourse/concourseGo | >= 1.6.1, < 6.3.1 | 6.3.1 |
github.com/concourse/dexGo | >= 6.4.0, < 6.4.1 | 6.4.1 |
github.com/concourse/dexGo | >= 0.0.0, < 6.3.1 | 6.3.1 |
github.com/concourse/dexGo | < 0.0.0-20200730150203-821b48abfd88 | 0.0.0-20200730150203-821b48abfd88 |
github.com/concourse/concourseGo | < 0.0.0-20200730151558-b00d1c8d8576 | 0.0.0-20200730151558-b00d1c8d8576 |
github.com/concourse/concourseGo | >= 0.0.0, < 1.6.1-0.20200730151558-b00d1c8d8576 | 1.6.1-0.20200730151558-b00d1c8d8576 |
Affected products
4- osv-coords3 versions
< 6.3.1+ 2 more
- (no CPE)range: < 6.3.1
- (no CPE)range: >= 6.4.0, < 6.4.1
- (no CPE)range: >= 6.4.0, < 6.4.1
Patches
Vulnerability mechanics
References
4- github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rjnvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-627p-rr78-99rjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-5415ghsaADVISORY
- tanzu.vmware.com/security/cve-2020-5415nvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.