VDB
KO
LOW

GHSA-8w27-c4vc-88q9

Concourse login flow has an open redirect issue

Details

### Impact

An attacker is able to craft and send a user a URL that will redirect the user from the Concourse web server to any other site. This could be used in a phishing attack to steal user's credentials.

### Patches

This has been fixed in 8.2.3

### Workarounds

None.

### Exploit

Vulnerable code was in: https://github.com/concourse/concourse/blob/ea7b812e3a88fdd070f0faece874e8a2d4fbb31c/skymarshal/skyserver/skyserver.go#L162-L170

The issue stems from the underlying processing logic of Go's `url` package. Normally, `ParseRequestURI()` will eventually reach an internal `url.setPath()` function, where the URL will be decoded. However, if `RawPath` is not empty and `validEncoded(RawPath)` is true, and the decoded result equals `Path`, then return `RawPath` as is; otherwise, escape `Path` again, i.e., decode it again.

In other words, if the URL contains dangerous characters that should be escaped, such as backslashes (`\`), then an extra decoding step will be performed. Therefore, `/%2Fexample.com` will be parsed as `//example.com`.

On vulnerable versions of Concourse, add `/sky/login?redirect_uri=/%252Fexample.com/\` to your Concourse external URL, login as usual, and you should be redirected to `example.com` instead of your Concourse web server. The redirect happens after the login flow completes. No credentials are leaked.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/concourse/concourse
Introduced in: 0 Fixed in: 1.6.1-0.20260526150512-ac60be5f0435
Fix go get github.com/concourse/concourse@v1.6.1-0.20260526150512-ac60be5f0435

References