Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01anAyLXZ3cmotOTlyZs4AAvd3
Team scope authorization bypass when Post/Put request with :team_name in body, allows HTTP parameter pollution
Impact
For some Post/Put Concourse endpoint containing :team_name
in the URL, a Concourse user can send a request with body including :team_name=team2
to bypass team scope check to gain access to certain resources belong to any other team. The user only needs a valid user session and belongs to team2.
Exploitable endpoints:
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/builds/:build_name", Method: "POST", Name: RerunJobBuild},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/pause", Method: "PUT", Name: PauseJob},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/unpause", Method: "PUT", Name: UnpauseJob},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/schedule", Method: "PUT", Name: ScheduleJob},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/pause", Method: "PUT", Name: PausePipeline},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/unpause", Method: "PUT", Name: UnpausePipeline},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/expose", Method: "PUT", Name: ExposePipeline},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/hide", Method: "PUT", Name: HidePipeline},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/rename", Method: "PUT", Name: RenamePipeline},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/archive", Method: "PUT", Name: ArchivePipeline},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/enable", Method: "PUT", Name: EnableResourceVersion},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/disable", Method: "PUT", Name: DisableResourceVersion},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/versions/:resource_config_version_id/pin", Method: "PUT", Name: PinResourceVersion},
{Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/resources/:resource_name/unpin", Method: "PUT", Name: UnpinResource},
{Path: "/api/v1/teams/:team_name/artifacts", Method: "POST", Name: CreateArtifact},
Steps to reproduce
- Set up a Concourse deployment with team 1 (with pipeline 1) and team 2. User is in team 2 but not team 1.
- Login as user to team 2.
fly -t ci login -n team2 -u user -p password
- Try pausing pipeline 1 in team 1 using fly. Verify the command output is
pipeline 'pipeline1' not found
.
fly -t ci pause-pipeline -p pipeline1
- Send a customized request through
fly curl
command intend to pause pipeline 1 again.
fly -t ci curl /api/v1/teams/team1/pipelines/pipeline1/pause -- -X PUT -d ":team_name=team2" -H "Content-type: application/x-www-form-urlencoded"
- pipeline 1 in team 1 will be paused.
In step 4, the parameter pollution would allow an user from any team to pause a pipeline that belongs to other team.
Patches
Concourse v6.7.9 and v7.8.3 were both released with a fix on October 12, 2022.
Instead of using FormValue
to parse team_name in the request, where allows body parameters to take precedence over URL query string values, both patch versions are now using URL.Query().Get()
over multiple scope handlers to prevent the parameter pollution.
Workarounds
No known workarounds for existing versions.
References
- https://github.com/concourse/concourse/pull/8566: PR with the fix
For more information
If you have any questions or comments about this advisory, you may reach us privately at [email protected].
Permalink: https://github.com/advisories/GHSA-5jp2-vwrj-99rfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01anAyLXZ3cmotOTlyZs4AAvd3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-5jp2-vwrj-99rf, CVE-2022-31683
References:
- https://github.com/concourse/concourse/security/advisories/GHSA-5jp2-vwrj-99rf
- https://github.com/concourse/concourse/pull/8566
- https://github.com/concourse/concourse/pull/8580
- https://github.com/concourse/concourse/releases/tag/v6.7.9
- https://github.com/concourse/concourse/releases/tag/v7.8.3
- https://nvd.nist.gov/vuln/detail/CVE-2022-31683
- https://github.com/concourse/concourse/commit/57e06711b0d861775a5a6bd078a34abeb0e2638e
- https://github.com/concourse/concourse/commit/ba885834d9bcbb9d1ccb9964faa7af0e78a72205
- https://github.com/advisories/GHSA-5jp2-vwrj-99rf
Blast Radius: 7.2
Affected Packages
go:github.com/concourse/concourse
Dependent packages: 19Dependent repositories: 22
Downloads:
Affected Version Ranges: >= 7.0.0, < 7.8.3, < 6.7.9
Fixed in: 7.8.3, 6.7.9
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.40.0, 0.41.0, 0.42.0, 0.43.0, 0.44.0, 0.45.0, 0.46.0, 0.47.0, 0.48.0, 0.49.0, 0.50.0, 0.51.0, 0.52.0, 0.53.0, 0.54.0, 0.55.0, 0.56.0, 0.57.0, 0.58.0, 0.59.0, 0.59.1, 0.60.0, 0.60.1, 0.61.0, 0.62.0, 0.62.1, 0.63.0, 0.64.0, 0.64.1, 0.65.0, 0.65.1, 0.66.0, 0.66.1, 0.67.0, 0.67.1, 0.68.0, 0.69.0, 0.69.1, 0.70.0, 0.71.0, 0.71.1, 0.72.0, 0.72.1, 0.73.0, 0.74.0, 0.75.0, 0.76.0, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.1, 3.5.0, 3.6.0, 3.7.0, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 3.10.0, 3.11.0, 3.12.0, 3.13.0, 3.14.0, 3.14.1, 4.0.0, 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.2.3
All unaffected versions: