PT-2020-18463 · Pivotal · Concourse
Mik317
·
Published
2020-05-13
·
Updated
2024-03-06
·
CVE-2020-5409
CVSS v3.1
7.6
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H |
Name of the Vulnerable Software and Affected Versions
Pivotal Concourse versions prior to 6.0.0
Description
The issue allows redirects to untrusted websites in its login flow. A remote unauthenticated attacker could convince a user to click on a link using the OAuth redirect link with an untrusted website and gain access to that user's access token in Concourse.
Recommendations
For versions prior to 6.0.0, update to version 6.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the OAuth redirect link to trusted websites only. Avoid using untrusted websites with the OAuth redirect link until the issue is resolved.
Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Concourse