CVE-2020-5415

CRITICAL

Concourse <6.3.1, 6.4.1 - Info Disclosure

Title source: llm

Description

Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.

References (2)

[Patch, Third Party Advisory] https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj

[Third Party Advisory] https://tanzu.vmware.com/security/cve-2020-5415

Scores

CVSS v3 10.0

EPSS 0.0026

EPSS Percentile 48.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Classification

CWE

CWE-290

Status published

Affected Products (3)

pivotal_software/concourse < 6.3.1

concourse/concourse < 6.4.1Go

concourse/dex < 6.4.1Go

Timeline

Published Aug 12, 2020

Tracked Since Feb 18, 2026