CVE-2020-5415
Concourse's GitLab auth allows impersonation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.
Concourse, versiones anteriores a 6.3.1 y 6.4.1, en instalaciones que utilizan el conector de autenticación de GitLab, es vulnerable a la suplantación de identidad mediante la configuración de una cuenta de GitLab con el mismo nombre completo que otro usuario al que se le concede acceso a un equipo de Concourse. Los grupos de GitLab no tienen esta vulnerabilidad, por lo que los usuarios de GitLab pueden ser movidos a grupos que luego son configurados en el equipo de Concourse
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-01-03 CVE Reserved
- 2020-08-12 CVE Published
- 2023-04-28 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-290: Authentication Bypass by Spoofing
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://tanzu.vmware.com/security/cve-2020-5415 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj | 2020-08-19 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Pivotal Software Search vendor "Pivotal Software" | Concourse Search vendor "Pivotal Software" for product "Concourse" | < 6.3.1 Search vendor "Pivotal Software" for product "Concourse" and version " < 6.3.1" | - |
Affected
| ||||||
Pivotal Software Search vendor "Pivotal Software" | Concourse Search vendor "Pivotal Software" for product "Concourse" | >= 6.4.0 < 6.4.1 Search vendor "Pivotal Software" for product "Concourse" and version " >= 6.4.0 < 6.4.1" | - |
Affected
|