Pivotal Software Concourse 0.7.0 Release Candidate 6

CPE Details

Pivotal Software Concourse 0.7.0 Release Candidate 6
pivotal_software
concourse
0.7.0
2019-06-25
15h48 +00:00
2019-06-25
15h48 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:pivotal_software:concourse:0.7.0:rc6:*:*:*:*:*:*

Informations

Vendor

pivotal_software

Product

concourse

Version

0.7.0

Update

rc6

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2020-5415 2020-08-12 16h40 +00:00 Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.
10
Critical
CVE-2020-5409 2020-05-13 23h15 +00:00 Pivotal Concourse, most versions prior to 6.0.0, allows redirects to untrusted websites in its login flow. A remote unauthenticated attacker could convince a user to click on a link using the OAuth redirect link with an untrusted website and gain access to that user's access token in Concourse. (This issue is similar to, but distinct from, CVE-2018-15798.)
6.1
Medium
CVE-2019-3792 2019-04-01 20h54 +00:00 Pivotal Concourse version 5.0.0, contains an API that is vulnerable to SQL injection. An Concourse resource can craft a version identifier that can carry a SQL injection payload to the Concourse server, allowing the attacker to read privileged data.
7.5
High
CVE-2019-3803 2019-01-12 01h00 +00:00 Pivotal Concourse, all versions prior to 4.2.2, puts the user access token in a url during the login flow. A remote attacker who gains access to a user's browser history could obtain the access token and use it to authenticate as the user.
7.5
High