Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Concourse by VMware Tanzu

    CVE-2020-5415 (GCVE-0-2020-5415)

    Vulnerability from nvd – Published: 2020-08-12 16:40 – Updated: 2024-09-16 17:53
    VLAI
    Title
    Concourse's GitLab auth allows impersonation
    Summary
    Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    References
    Impacted products
    Vendor Product Version
    VMware Tanzu Concourse Affected: 6.4 , < 6.4.1 (custom)
    Affected: 6.3 , < 6.3.1 (custom)
    Create a notification for this product.
    Date Public
    2020-08-12 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T08:30:24.023Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://tanzu.vmware.com/security/cve-2020-5415"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Concourse",
              "vendor": "VMware Tanzu",
              "versions": [
                {
                  "lessThan": "6.4.1",
                  "status": "affected",
                  "version": "6.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.3.1",
                  "status": "affected",
                  "version": "6.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-08-12T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290: Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-08-12T16:40:14.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://tanzu.vmware.com/security/cve-2020-5415"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Concourse\u0027s GitLab auth allows impersonation",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2020-08-12T02:35:17.000Z",
              "ID": "CVE-2020-5415",
              "STATE": "PUBLIC",
              "TITLE": "Concourse\u0027s GitLab auth allows impersonation"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Concourse",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "6.4",
                                "version_value": "6.4.1"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "6.3",
                                "version_value": "6.3.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "VMware Tanzu"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-290: Authentication Bypass by Spoofing"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj"
                },
                {
                  "name": "https://tanzu.vmware.com/security/cve-2020-5415",
                  "refsource": "CONFIRM",
                  "url": "https://tanzu.vmware.com/security/cve-2020-5415"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2020-5415",
        "datePublished": "2020-08-12T16:40:14.465Z",
        "dateReserved": "2020-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:53:07.446Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-5415 (GCVE-0-2020-5415)

    Vulnerability from cvelistv5 – Published: 2020-08-12 16:40 – Updated: 2024-09-16 17:53
    VLAI
    Title
    Concourse's GitLab auth allows impersonation
    Summary
    Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    References
    Impacted products
    Vendor Product Version
    VMware Tanzu Concourse Affected: 6.4 , < 6.4.1 (custom)
    Affected: 6.3 , < 6.3.1 (custom)
    Create a notification for this product.
    Date Public
    2020-08-12 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T08:30:24.023Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://tanzu.vmware.com/security/cve-2020-5415"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Concourse",
              "vendor": "VMware Tanzu",
              "versions": [
                {
                  "lessThan": "6.4.1",
                  "status": "affected",
                  "version": "6.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.3.1",
                  "status": "affected",
                  "version": "6.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-08-12T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290: Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-08-12T16:40:14.000Z",
            "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
            "shortName": "pivotal"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://tanzu.vmware.com/security/cve-2020-5415"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Concourse\u0027s GitLab auth allows impersonation",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@pivotal.io",
              "DATE_PUBLIC": "2020-08-12T02:35:17.000Z",
              "ID": "CVE-2020-5415",
              "STATE": "PUBLIC",
              "TITLE": "Concourse\u0027s GitLab auth allows impersonation"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Concourse",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "6.4",
                                "version_value": "6.4.1"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "6.3",
                                "version_value": "6.3.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "VMware Tanzu"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-290: Authentication Bypass by Spoofing"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj"
                },
                {
                  "name": "https://tanzu.vmware.com/security/cve-2020-5415",
                  "refsource": "CONFIRM",
                  "url": "https://tanzu.vmware.com/security/cve-2020-5415"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "assignerShortName": "pivotal",
        "cveId": "CVE-2020-5415",
        "datePublished": "2020-08-12T16:40:14.465Z",
        "dateReserved": "2020-01-03T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:53:07.446Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }