Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:NPivotal Software Concourse
APPPivotal Software< 6.3.16.4.0 – 6.4.1 (bez)
Related vulnerabilities
Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows redirects to untrusted websites. A r...
Pivotal Concourse after 2018-03-05 might allow remote attackers to have an unspecified impact, if a customer o...
Concourse (7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9) contains an authorization bypass issue. A Concourse ...
Pivotal Concourse, most versions prior to 6.0.0, allows redirects to untrusted websites in its login flow. A r...
Pivotal Concourse version 5.0.0, contains an API that is vulnerable to SQL injection. An Concourse resource ca...