CVE-2020-5415 Vulnerability Details

  /     /     /  

CVE-2020-5415 Metadata Quick Info

CVE Published: 12/08/2020 | CVE Updated: 16/09/2024 | CVE Year: 2020
Source: pivotal | Vendor: VMware Tanzu | Product: Concourse
Status : PUBLISHED

---

CVE-2020-5415 Description

Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-290
CWE Name: CWE-290: Authentication Bypass by Spoofing
Source: VMware Tanzu

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).