← volver
CVE-2020-5415

Concourse's GitLab auth allows impersonation

CVSS 10 CRITICALEPSS 1.2%CWE-290
Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Productos afectados
VMware Tanzu · Concourse

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rjhttps://tanzu.vmware.com/security/cve-2020-5415