CVE-2020-5415 Information

Description

Concourse versions prior to 6.3.1 and 6.4.1 in installations which use the GitLab auth connector is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability so GitLab users may be moved into groups which are then configured in the Concourse team.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Reference

https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj https://tanzu.vmware.com/security/cve-2020-5415

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

10.0