CVE-2022-31683: 
Concourse CI vulnerability analysis and mitigation

CVE-2022-31683 is an authorization bypass vulnerability discovered in Concourse versions 7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9. The vulnerability was disclosed on December 19, 2022. The issue allows a Concourse user to bypass team scope checks by sending a request with a specially crafted body including :team_name parameter to gain unauthorized access to resources belonging to other teams (GitHub Advisory).

The vulnerability exists in multiple POST/PUT endpoints containing :team_name in the URL. The issue stems from using FormValue to parse team_name in the request, which allows body parameters to take precedence over URL query string values. This enables HTTP parameter pollution where an authenticated user belonging to one team can manipulate the team_name parameter to access resources of other teams. The vulnerability has a CVSS v3.1 Base Score of 5.4 (Medium) with attack vector being Network, requiring Low privileges and No user interaction (AttackerKB).

An authenticated user with membership in any team can exploit this vulnerability to gain unauthorized access to resources belonging to other teams. The exploitable actions include pausing/unpausing pipelines and jobs, scheduling jobs, exposing/hiding pipelines, renaming pipelines, archiving pipelines, and managing resource versions (GitHub Advisory).

The vulnerability has been patched in Concourse versions 6.7.9 and 7.8.3, released on October 12, 2022. The fix involves changing the parameter parsing method from FormValue to URL.Query().Get() across multiple scope handlers to prevent parameter pollution. No workarounds are available for existing versions (GitHub Advisory).