EUVD-2021-2453

Malware in sbrugna...

GitLab auth uses full name instead of username as user ID, allowing impersonation

Impact Installations which use the GitLab auth connector are vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another GitLab user who is granted access to a Concourse team by having their full name listed under users in the team configuration or...

User Impersonation

github.com/concourse/dex is vulnerable to user impersonation. The vulnerability exists when the GitLab auth connector is used, through configuring a GitLab account with the same full name as another GitLab user who is granted access to a Concourse team by having their full name listed under users...

PT-2020-18467 · Gitlab +1 · Gitlab +1

Name of the Vulnerable Software and Affected Versions: Concourse versions prior to 6.3.1 and 6.4.1 Description: The issue allows for identity spoofing by configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. This is possible in installatio...