SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the MDM bootstrap package configuration. An attacker can modify arbitrary team configurations, exfiltrate sensitive data from the database, and inject arbitrary content into team configurations by sending crafted API...

team: better TEAM_OPTION_TYPE_STRING validation

...

GHSA-627P-RR78-99RJ GitLab auth uses full name instead of username as user ID, allowing impersonation

Impact Installations which use the GitLab auth connector are vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another GitLab user who is granted access to a Concourse team by having their full name listed under users in the team configuration or...

PT-2020-18467 · Gitlab +1 · Gitlab +1

Name of the Vulnerable Software and Affected Versions: Concourse versions prior to 6.3.1 and 6.4.1 Description: The issue allows for identity spoofing by configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. This is possible in installatio...