CVE-2020-5415: GitLab auth uses full name instead of username as user ID, allowing impersonation
(updated )
Installations which use the GitLab auth connector are vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another GitLab user who is granted access to a Concourse team by having their full name listed under users
in the team configuration or given to the --gitlab-user
flag.
See the GitLab auth docs for details.
Concourse installations which do not configure the GitLab auth connector are not affected.
References
Code Behaviors & Features
Detect and mitigate CVE-2020-5415 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →