CVE-2019-3792: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

February 15, 2022 (updated April 12, 2022)

Pivotal Concourse version 5.0.0, contains an API that is vulnerable to SQL injection. An Concourse resource can craft a version identifier that can carry a SQL injection payload to the Concourse server, allowing the attacker to read privileged data.

References

github.com/advisories/GHSA-4fqx-74rv-638w
github.com/concourse/concourse/blob/master/release-notes/v5.0.1.md
github.com/concourse/concourse/commit/dc3d15ab6c3a69890c9985f9c875d4c2949be727
nvd.nist.gov/vuln/detail/CVE-2019-3792
pivotal.io/security/cve-2019-3792

Code Behaviors & Features

Detect and mitigate CVE-2019-3792 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →