PT-2026-55111 · Go · Github.Com/Concourse/Concourse

Publicado

2026-07-01

·

Atualizado

2026-07-01

CVSS v4.0

0.0

Nenhuma

VetorAV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Impact

An attacker is able to craft and send a user a URL that will redirect the user from the Concourse web server to any other site. This could be used in a phishing attack to steal user's credentials.

Patches

This has been fixed in 8.2.3

Workarounds

None.

Exploit

The issue stems from the underlying processing logic of Go's url package. Normally, ParseRequestURI() will eventually reach an internal url.setPath() function, where the URL will be decoded. However, if RawPath is not empty and validEncoded(RawPath) is true, and the decoded result equals Path, then return RawPath as is; otherwise, escape Path again, i.e., decode it again.
In other words, if the URL contains dangerous characters that should be escaped, such as backslashes (``), then an extra decoding step will be performed. Therefore, /%2Fexample.com will be parsed as //example.com.
On vulnerable versions of Concourse, add /sky/login?redirect uri=/%252Fexample.com/ to your Concourse external URL, login as usual, and you should be redirected to example.com instead of your Concourse web server. The redirect happens after the login flow completes. No credentials are leaked.

Correção

Open Redirect

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

GHSA-8W27-C4VC-88Q9

Produtos afetados

Github.Com/Concourse/Concourse