GMS-2022-5607: Team scope authorization bypass when Post/Put request with :team_name in body, allows HTTP parameter pollution

October 19, 2022

For some Post/Put Concourse endpoint containing :team_name in the URL, a Concourse user can send a request with body including :team_name=team2 to bypass team scope check to gain access to certain resources belong to any other team. The user only needs a valid user session and belongs to team2.

References

github.com/advisories/GHSA-5jp2-vwrj-99rf
github.com/concourse/concourse/pull/8566
github.com/concourse/concourse/pull/8580
github.com/concourse/concourse/releases/tag/v6.7.9
github.com/concourse/concourse/releases/tag/v7.8.3
github.com/concourse/concourse/security/advisories/GHSA-5jp2-vwrj-99rf

Code Behaviors & Features

Detect and mitigate GMS-2022-5607 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →