Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/concourse/concourse(Go) | 6.4.0 | 6.4.1 | N/A |
| github.com/concourse/concourse(Go) | 1.6.1 | 6.3.1 | N/A |
| github.com/concourse/dex(Go) | 6.4.0 | 6.4.1 | N/A |
| github.com/concourse/dex(Go) | 0.0.0 | 6.3.1 | N/A |
| github.com/concourse/dex(Go) | 0 | 0.0.0-20200730150203-821b48abfd88 | N/A |
| github.com/concourse/concourse(Go) | 0 | 0.0.0-20200730151558-b00d1c8d8576 | N/A |
| github.com/concourse/concourse(Go) | 0.0.0 | 1.6.1-0.20200730151558-b00d1c8d8576 | N/A |
CVSS Metrics
