CVE-2020-5415

Name of the Vulnerable Software and Affected Versions Concourse versions prior to 6.3.1 and 6.4.1

Description The issue allows for identity spoofing by configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. This is possible in installations that use the GitLab auth connector. The vulnerability can be exploited by having the full name listed under users in the team configuration or given to the --gitlab-user flag. GitLab groups are not affected by this issue.

Recommendations For Concourse versions prior to 6.3.1, update to version 6.3.1 or later. For Concourse versions prior to 6.4.1, update to version 6.4.1 or later. As a temporary workaround, consider moving GitLab users into groups and then configuring these groups in the Concourse team, as GitLab groups do not have this vulnerability. After upgrading to the fixed versions, switch each user from their full name to their username in the Concourse team configuration.