Concourse (7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9) contains an authorization bypass issue. A Concourse user can send a request with body including :team_name=team2 to bypass team scope check to gain access to certain resources belong to any other team.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NPivotal Software Concourse
APPPivotal Software6.0.0 – 6.7.9 (bez)7.0.0 – 7.8.3 (bez)
Related vulnerabilities
Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnera...
Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows redirects to untrusted websites. A r...
Pivotal Concourse after 2018-03-05 might allow remote attackers to have an unspecified impact, if a customer o...
Pivotal Concourse, most versions prior to 6.0.0, allows redirects to untrusted websites in its login flow. A r...
Pivotal Concourse version 5.0.0, contains an API that is vulnerable to SQL injection. An Concourse resource ca...