Bitnami package
concourse
pkg:bitnami/concourse
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-31683 | — | >= 6.0.0, < 6.7.9 | 6.7.9 | Dec 19, 2022 | Concourse (7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9) contains an authorization bypass issue. A Concourse user can send a request with body including :team_name=team2 to bypass team scope check to gain access to certain resources belong to any other team. | ||
| CVE-2020-5415 | — | < 6.3.1 | 6.3.1 | Aug 12, 2020 | Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not ha | ||
| CVE-2020-5409 | — | < 5.2.8 | 5.2.8 | May 13, 2020 | Pivotal Concourse, most versions prior to 6.0.0, allows redirects to untrusted websites in its login flow. A remote unauthenticated attacker could convince a user to click on a link using the OAuth redirect link with an untrusted website and gain access to that user's access toke |
- CVE-2022-31683Dec 19, 2022affected >= 6.0.0, < 6.7.9fixed 6.7.9
Concourse (7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9) contains an authorization bypass issue. A Concourse user can send a request with body including :team_name=team2 to bypass team scope check to gain access to certain resources belong to any other team.
- CVE-2020-5415Aug 12, 2020affected < 6.3.1fixed 6.3.1
Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not ha
- CVE-2020-5409May 13, 2020affected < 5.2.8fixed 5.2.8
Pivotal Concourse, most versions prior to 6.0.0, allows redirects to untrusted websites in its login flow. A remote unauthenticated attacker could convince a user to click on a link using the OAuth redirect link with an untrusted website and gain access to that user's access toke