{"id":"CVE-2022-31683","details":"Concourse (7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9) contains an authorization bypass issue. A Concourse user can send a request with body including :team_name=team2 to bypass team scope check to gain access to certain resources belong to any other team.","aliases":["BIT-concourse-2022-31683","GHSA-5jp2-vwrj-99rf"],"modified":"2026-04-12T03:44:16.092762Z","published":"2022-12-19T16:15:11.027Z","related":["GHSA-5jp2-vwrj-99rf"],"references":[{"type":"EVIDENCE","url":"https://github.com/concourse/concourse/security/advisories/GHSA-5jp2-vwrj-99rf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/concourse/concourse","events":[{"introduced":"559620ba019a21116d78e260c62d5904ab912fe0"},{"fixed":"a96bf827c89ed7216ea8cf42271d2c62c4f2442c"},{"introduced":"35e971a307d349be791178c5a3d17f24c966c8c1"},{"fixed":"5a9b0ca8800605dbc3da61aeea891538d65699fb"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:pivotal_software:concourse:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"6.0.0"},{"fixed":"6.7.9"},{"introduced":"7.0.0"},{"fixed":"7.8.3"}]}}],"versions":["v6.0.0","v6.2.0","v6.3.0","v6.4.0","v6.5.0","v6.5.1","v6.6.0","v6.7.0","v6.7.1","v6.7.2","v6.7.3","v6.7.4","v6.7.5","v6.7.6","v6.7.7","v6.7.8","v7.0.0","v7.1.0","v7.2.0","v7.3.0","v7.3.1","v7.3.2","v7.4.0","v7.5.0","v7.6.0","v7.7.0","v7.8.0","v7.8.1","v7.8.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-31683.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}]}