Rui42

**Name of the Vulnerable Software and Affected Versions** Concourse versions 6.x.y prior to 6.7.9 Concourse versions 7.x.y prior to 7.8.3 **Description** The issue is an authorization bypass that allows a Concourse user to send a request with a body including `:team name=team2` to bypass team scope checks and gain access to certain resources belonging to any other team. This can be done by exploiting specific API endpoints, such as "/api/v1/teams/:team name/pipelines/:pipeline name/jobs/:job name/builds/:build name" with a POST method, or "/api/v1/teams/:team name/pipelines/:pipeline name/jobs/:job name/pause" with a PUT method. The user only needs a valid user session and to belong to team2. **Recommendations** For Concourse versions 6.x.y prior to 6.7.9, update to version 6.7.9 to resolve the issue. For Concourse versions 7.x.y prior to 7.8.3, update to version 7.8.3 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "/api/v1/teams/:team name/pipelines/:pipeline name/jobs/:job name/builds/:build name" and "/api/v1/teams/:team name/pipelines/:pipeline name/jobs/:job name/pause", until a patch is applied.