CVE-2020-5415: Authentication Bypass by Spoofing

August 12, 2020 (updated August 19, 2020)

Concourse, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.

References

nvd.nist.gov/vuln/detail/CVE-2020-5415

Code Behaviors & Features

Detect and mitigate CVE-2020-5415 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →