VDB
EN
LOW

GHSA-8w27-c4vc-88q9

Concourse login flow has an open redirect issue

상세

### Impact

An attacker is able to craft and send a user a URL that will redirect the user from the Concourse web server to any other site. This could be used in a phishing attack to steal user's credentials.

### Patches

This has been fixed in 8.2.3

### Workarounds

None.

### Exploit

Vulnerable code was in: https://github.com/concourse/concourse/blob/ea7b812e3a88fdd070f0faece874e8a2d4fbb31c/skymarshal/skyserver/skyserver.go#L162-L170

The issue stems from the underlying processing logic of Go's `url` package. Normally, `ParseRequestURI()` will eventually reach an internal `url.setPath()` function, where the URL will be decoded. However, if `RawPath` is not empty and `validEncoded(RawPath)` is true, and the decoded result equals `Path`, then return `RawPath` as is; otherwise, escape `Path` again, i.e., decode it again.

In other words, if the URL contains dangerous characters that should be escaped, such as backslashes (`\`), then an extra decoding step will be performed. Therefore, `/%2Fexample.com` will be parsed as `//example.com`.

On vulnerable versions of Concourse, add `/sky/login?redirect_uri=/%252Fexample.com/\` to your Concourse external URL, login as usual, and you should be redirected to `example.com` instead of your Concourse web server. The redirect happens after the login flow completes. No credentials are leaked.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Go / github.com/concourse/concourse
최초 영향 버전: 0 수정 버전: 1.6.1-0.20260526150512-ac60be5f0435
수정 go get github.com/concourse/concourse@v1.6.1-0.20260526150512-ac60be5f0435

참고