76 matches found
GHSA-8W27-C4VC-88Q9 Concourse login flow has an open redirect issue
Impact An attacker is able to craft and send a user a URL that will redirect the user from the Concourse web server to any other site. This could be used in a phishing attack to steal user's credentials. Patches This has been fixed in 8.2.3 Workarounds None. Exploit Vulnerable code was in:...
PT-2026-55209
Name of the Vulnerable Software and Affected Versions Concourse versions prior to 8.2.3 Description An open redirect issue exists in the login flow. An attacker can craft a URL that redirects users from the Concourse web server to an external site, which could be utilized in phishing attacks to...
CVE-2022-31683
Concourse 7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9 contains an authorization bypass issue. A Concourse user can send a request with body including :teamname=team2 to bypass team scope check to gain access to certain resources belong to any other team...
EUVD-2021-2453
Malware in sbrugna...
EUVD-2020-26583
Malware in sbrugna...
EUVD-2019-13429
Malware in sbrugna...
EUVD-2018-11861
Malware in sbrugna...
EUVD-2022-0811
Malicious code in bioql PyPI...
EUVD-2022-0931
Malicious code in bioql PyPI...
EUVD-2022-7028
Malicious code in bioql PyPI...
BIT-CONCOURSE-2020-5409 Concourse Open Redirect in the /sky/login endpoint
Pivotal Concourse, most versions prior to 6.0.0, allows redirects to untrusted websites in its login flow. A remote unauthenticated attacker could convince a user to click on a link using the OAuth redirect link with an untrusted website and gain access to that user's access token in Concourse...
BIT-CONCOURSE-2020-5415 Concourse's GitLab auth allows impersonation
Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this...
BIT-CONCOURSE-2022-31683
Concourse 7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9 contains an authorization bypass issue. A Concourse user can send a request with body including :teamname=team2 to bypass team scope check to gain access to certain resources belong to any other team...
Security Update for Microsoft Visual Studio Code Concourse CI Pipeline Editor Extension (CVE-2022-31691)
The Microsoft Visual Studio Code Concourse CI Pipeline Editor Extension is version 1.39.0 or below. It is, therefore, affected by a remote code execution vulnerability. The extension uses the Snakeyaml library for YAML editing support. This library allows for some special syntax in the YAML that...
Authorization Bypass
github.com/concourse/concourse is vulnerable to authorization bypasses. A malicious user is able to send a request with a body including :teamname=team2 to bypass team scope check and gain access to certain resources belong to any other team...
CVE-2022-31683
Concourse 7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9 contains an authorization bypass issue. A Concourse user can send a request with body including :teamname=team2 to bypass team scope check to gain access to certain resources belong to any other team...
Authorization
Concourse 7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9 contains an authorization bypass issue. A Concourse user can send a request with body including :teamname=team2 to bypass team scope check to gain access to certain resources belong to any other team...
CVE-2022-31683
Concourse 7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9 contains an authorization bypass issue. A Concourse user can send a request with body including :teamname=team2 to bypass team scope check to gain access to certain resources belong to any other team...
CVE-2022-31683
Concourse 7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9 contains an authorization bypass issue. A Concourse user can send a request with body including :teamname=team2 to bypass team scope check to gain access to certain resources belong to any other team...
Concourse 安全漏洞
Concourse is an automated system written in Go by Concourse Open Source. A security vulnerability exists in Concourse versions prior to 7.x.y through 7.8.3 and versions prior to 6.x.y through 6.7.9, which stems from the ability of its users to send a request with a request body...