CWE
639 863
Advisory Published
CVE Published
Updated

CVE-2022-31683

First published: Wed Oct 19 2022(Updated: )

### Impact For some Post/Put Concourse endpoint containing `:team_name` in the URL, a Concourse user can send a request with body including `:team_name=team2` to bypass team scope check to gain access to certain resources belong to any other team. The user only needs a valid user session and belongs to team2. Exploitable endpoints: ``` {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/builds/:build_name", Method: "POST", Name: RerunJobBuild}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/pause", Method: "PUT", Name: PauseJob}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/unpause", Method: "PUT", Name: UnpauseJob}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/schedule", Method: "PUT", Name: ScheduleJob}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/pause", Method: "PUT", Name: PausePipeline}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/unpause", Method: "PUT", Name: UnpausePipeline}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/expose", Method: "PUT", Name: ExposePipeline}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/hide", Method: "PUT", Name: HidePipeline}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/rename", Method: "PUT", Name: RenamePipeline}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/archive", Method: "PUT", Name: ArchivePipeline}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/enable", Method: "PUT", Name: EnableResourceVersion}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/disable", Method: "PUT", Name: DisableResourceVersion}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/pin", Method: "PUT", Name: PinResourceVersion}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/unpin", Method: "PUT", Name: UnpinResource}, {Path: "/api/v1/teams/:team_name/artifacts", Method: "POST", Name: CreateArtifact}, ``` ### Steps to reproduce 1. Set up a Concourse deployment with team 1 (with pipeline 1) and team 2. User is in team 2 but not team 1. 2. Login as user to team 2. ``` fly -t ci login -n team2 -u user -p password ``` 3. Try pausing pipeline 1 in team 1 using fly. Verify the command output is `pipeline 'pipeline1' not found`. ``` fly -t ci pause-pipeline -p pipeline1 ``` 4. Send a customized request through `fly curl` command intend to pause pipeline 1 again. ``` fly -t ci curl /api/v1/teams/team1/pipelines/pipeline1/pause -- -X PUT -d ":team_name=team2" -H "Content-type: application/x-www-form-urlencoded" ``` 5. pipeline 1 in team 1 will be paused. In step 4, the parameter pollution would allow an user from any team to pause a pipeline that belongs to other team. ### Patches Concourse [v6.7.9](https://github.com/concourse/concourse/releases/tag/v6.7.9) and [v7.8.3](https://github.com/concourse/concourse/releases/tag/v7.8.3) were both released with a fix on October 12, 2022. Instead of using [`FormValue`](https://pkg.go.dev/net/http#Request.FormValue) to parse team_name in the request, where allows body parameters to take precedence over URL query string values, both patch versions are now using `URL.Query().Get()` over multiple scope handlers to prevent the parameter pollution. ### Workarounds No known workarounds for existing versions. ### References * https://github.com/concourse/concourse/pull/8566: PR with the fix ### For more information If you have any questions or comments about this advisory, you may reach us privately at [security@concourse-ci.org](mailto:security@concourse-ci.org).

Credit: security@vmware.com

Affected SoftwareAffected VersionHow to fix
Pivotal Software Concourse>=6.0.0<6.7.9
Pivotal Software Concourse>=7.0.0<7.8.3
go/github.com/concourse/concourse>=7.0.0<7.8.3
7.8.3
go/github.com/concourse/concourse<6.7.9
6.7.9

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2022-31683?

    CVE-2022-31683 is a vulnerability in Concourse versions 7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9 that allows an authorization bypass, allowing a user to gain access to certain resources belonging to other teams.

  • How severe is CVE-2022-31683?

    CVE-2022-31683 has a severity rating of 5.4, which is considered medium.

  • How can I fix CVE-2022-31683?

    To fix CVE-2022-31683, you should upgrade to Concourse version 7.8.3 or 6.7.9, depending on your current version.

  • What is the affected software of CVE-2022-31683?

    The affected software of CVE-2022-31683 is Concourse versions 7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9, specifically the Pivotal Software Concourse.

  • Where can I find more information about CVE-2022-31683?

    You can find more information about CVE-2022-31683 in the GitHub security advisory: https://github.com/concourse/concourse/security/advisories/GHSA-5jp2-vwrj-99rf

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203