GHSA-8w27-c4vc-88q9
Concourse login flow has an open redirect issue
상세
### Impact
An attacker is able to craft and send a user a URL that will redirect the user from the Concourse web server to any other site. This could be used in a phishing attack to steal user's credentials.
### Patches
This has been fixed in 8.2.3
### Workarounds
None.
### Exploit
Vulnerable code was in: https://github.com/concourse/concourse/blob/ea7b812e3a88fdd070f0faece874e8a2d4fbb31c/skymarshal/skyserver/skyserver.go#L162-L170
The issue stems from the underlying processing logic of Go's `url` package. Normally, `ParseRequestURI()` will eventually reach an internal `url.setPath()` function, where the URL will be decoded. However, if `RawPath` is not empty and `validEncoded(RawPath)` is true, and the decoded result equals `Path`, then return `RawPath` as is; otherwise, escape `Path` again, i.e., decode it again.
In other words, if the URL contains dangerous characters that should be escaped, such as backslashes (`\`), then an extra decoding step will be performed. Therefore, `/%2Fexample.com` will be parsed as `//example.com`.
On vulnerable versions of Concourse, add `/sky/login?redirect_uri=/%252Fexample.com/\` to your Concourse external URL, login as usual, and you should be redirected to `example.com` instead of your Concourse web server. The redirect happens after the login flow completes. No credentials are leaked.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0 수정 버전: 1.6.1-0.20260526150512-ac60be5f0435 go get github.com/concourse/concourse@v1.6.1-0.20260526150512-ac60be5f0435