CVE-2022-31683

Name of the Vulnerable Software and Affected Versions Concourse versions 6.x.y prior to 6.7.9 Concourse versions 7.x.y prior to 7.8.3

Description The issue is an authorization bypass that allows a Concourse user to send a request with a body including :team name=team2 to bypass team scope checks and gain access to certain resources belonging to any other team. This can be done by exploiting specific API endpoints, such as "/api/v1/teams/:team name/pipelines/:pipeline name/jobs/:job name/builds/:build name" with a POST method, or "/api/v1/teams/:team name/pipelines/:pipeline name/jobs/:job name/pause" with a PUT method. The user only needs a valid user session and to belong to team2.

Recommendations For Concourse versions 6.x.y prior to 6.7.9, update to version 6.7.9 to resolve the issue. For Concourse versions 7.x.y prior to 7.8.3, update to version 7.8.3 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "/api/v1/teams/:team name/pipelines/:pipeline name/jobs/:job name/builds/:build name" and "/api/v1/teams/:team name/pipelines/:pipeline name/jobs/:job name/pause", until a patch is applied.