{"id":"BIT-concourse-2020-5409","summary":"Concourse Open Redirect in the /sky/login endpoint","details":"Pivotal Concourse, most versions prior to 6.0.0, allows redirects to untrusted websites in its login flow. A remote unauthenticated attacker could convince a user to click on a link using the OAuth redirect link with an untrusted website and gain access to that user's access token in Concourse. (This issue is similar to, but distinct from, CVE-2018-15798.)","aliases":["CVE-2020-5409"],"modified":"2025-05-20T10:02:07.006Z","published":"2024-03-06T10:51:15.173Z","database_specific":{"severity":"Medium","cpes":["cpe:2.3:a:pivotal_software:concourse:*:*:*:*:*:*:*:*"]},"references":[{"type":"WEB","url":"https://tanzu.vmware.com/security/cve-2020-5409"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5409"}],"affected":[{"package":{"name":"concourse","ecosystem":"Bitnami","purl":"pkg:bitnami/concourse"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"5.2.8"},{"introduced":"5.3.0"},{"fixed":"5.5.10"},{"introduced":"5.6.0"},{"fixed":"5.8.1"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/concourse/BIT-concourse-2020-5409.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}],"schema_version":"1.7.3"}