Search criteria
2 vulnerabilities found for Concourse by VMware Tanzu
CVE-2020-5415 (GCVE-0-2020-5415)
Vulnerability from cvelistv5 – Published: 2020-08-12 16:40 – Updated: 2024-09-16 17:53
VLAI?
Title
Concourse's GitLab auth allows impersonation
Summary
Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.
Severity ?
10 (Critical)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| VMware Tanzu | Concourse |
Affected:
6.4 , < 6.4.1
(custom)
Affected: 6.3 , < 6.3.1 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.023Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5415"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Concourse",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "6.4.1",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"lessThan": "6.3.1",
"status": "affected",
"version": "6.3",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-12T16:40:14",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5415"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Concourse\u0027s GitLab auth allows impersonation",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-08-12T02:35:17.000Z",
"ID": "CVE-2020-5415",
"STATE": "PUBLIC",
"TITLE": "Concourse\u0027s GitLab auth allows impersonation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Concourse",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.4",
"version_value": "6.4.1"
},
{
"version_affected": "\u003c",
"version_name": "6.3",
"version_value": "6.3.1"
}
]
}
}
]
},
"vendor_name": "VMware Tanzu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-290: Authentication Bypass by Spoofing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj",
"refsource": "CONFIRM",
"url": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj"
},
{
"name": "https://tanzu.vmware.com/security/cve-2020-5415",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2020-5415"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2020-5415",
"datePublished": "2020-08-12T16:40:14.465847Z",
"dateReserved": "2020-01-03T00:00:00",
"dateUpdated": "2024-09-16T17:53:07.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5415 (GCVE-0-2020-5415)
Vulnerability from nvd – Published: 2020-08-12 16:40 – Updated: 2024-09-16 17:53
VLAI?
Title
Concourse's GitLab auth allows impersonation
Summary
Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.
Severity ?
10 (Critical)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| VMware Tanzu | Concourse |
Affected:
6.4 , < 6.4.1
(custom)
Affected: 6.3 , < 6.3.1 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.023Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5415"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Concourse",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "6.4.1",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"lessThan": "6.3.1",
"status": "affected",
"version": "6.3",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-12T16:40:14",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5415"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Concourse\u0027s GitLab auth allows impersonation",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-08-12T02:35:17.000Z",
"ID": "CVE-2020-5415",
"STATE": "PUBLIC",
"TITLE": "Concourse\u0027s GitLab auth allows impersonation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Concourse",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.4",
"version_value": "6.4.1"
},
{
"version_affected": "\u003c",
"version_name": "6.3",
"version_value": "6.3.1"
}
]
}
}
]
},
"vendor_name": "VMware Tanzu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-290: Authentication Bypass by Spoofing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj",
"refsource": "CONFIRM",
"url": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj"
},
{
"name": "https://tanzu.vmware.com/security/cve-2020-5415",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2020-5415"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2020-5415",
"datePublished": "2020-08-12T16:40:14.465847Z",
"dateReserved": "2020-01-03T00:00:00",
"dateUpdated": "2024-09-16T17:53:07.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}