Skip to main content

Authentication Bypass by Spoofing

CVE-2020-5415

Severity High
Score 10/10

Summary

Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.

  • LOW
  • NETWORK
  • HIGH
  • CHANGED
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-290 - Authentication Bypass by Spoofing

This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.

Advisory Timeline

  • Published