CVE-2020-5415
10
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Summary
Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| VMware Tanzu | Concourse | 6.4 < 6.4.1 | affected |
| VMware Tanzu | Concourse | 6.3 < 6.3.1 | affected |
Weaknesses
- CWE-290: CWE-290: Authentication Bypass by Spoofing
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj
- https://tanzu.vmware.com/security/cve-2020-5415
References
- https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj
- https://tanzu.vmware.com/security/cve-2020-5415
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.