Vulnerability Reportconcourse/concourse:8.2.0

concourse/concourse:8.2.0

DIGESTsha256:c26e993959ac79f202c481c4f9d048bdf7a65d6afb13eb5df5e414edbf97a3e5

Executive Summary

Threat ScoreDANGEROUS• Single high-severity vulnerability (CVE-2020-5415) on exposed surface with CVSS 8.0 enables identity spoofing and unauthorized team access• Vulnerability directly impacts authentication logic; exploitation leads to unauthorized access to Concourse CI/CD pipelines• Image has 42 exposed vulnerabilities; however, the critical one determines the risk• Reputation is reliable (90/100, 88M+ pulls) but does not mitigate this critical flaw• Threat score of 75 places this image in the DANGEROUS band• Vulnerability is configuration-dependent: only exploitable if GitLab auth connector is enabled (non-default)

75/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (88M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could impersonate a legitimate user by matching full names, gaining unauthorized access to Concourse teams and potentially to CI/CD pipeline controls. Disabling the GitLab auth connector or enforcing GitLab group-based authentication would fully eliminate CVE-2020-5415. Note: CVE-2020-5415 only applies if the GitLab auth connector is enabled, which is a non-default configuration. Despite the image's popularity and high reputation, the vulnerability is severe and easily exploitable over the network without authentication.

Vulnerabilities

Vulnerability Log

62 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2020-5415	HIGH8	github.com/concourse/dex v1.13.0 fixed in 6.4.1, 6.3.1, 0.0.0-20200730150203-821b48abfd88	1.2% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33811	MEDIUM5.1	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33814	MEDIUM5.1	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-39820	MEDIUM5.1	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33811	MEDIUM5.1	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33814	MEDIUM5.1	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-39820	MEDIUM5.1	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-9076	MEDIUM5.02	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39826	MEDIUM4.59	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-39826	MEDIUM4.59	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2023-39810	LOW3.98	busybox 1.37.0-r57 fixed in 1.37.0-r58	0.7% Theoretical Threat	Post-Exploit
CVE-2026-26157	LOW3.57	busybox 1.37.0-r57 fixed in 1.37.0-r58	0.7% Theoretical Threat	Post-Exploit
CVE-2026-26158	LOW3.57	busybox 1.37.0-r57 fixed in 1.37.0-r58	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW3.15	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45447	LOW2.92	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	libssl3 3.6.2-r3 fixed in 3.6.3-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45445	LOW2.78	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-39836	LOW2.29	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-39836	LOW2.29	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42764	LOW1.81	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-42769	LOW1.81	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW1.81	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-9076	LOW1.81	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42764	LOW1.81	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-42769	LOW1.81	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW1.81	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-35188	NONE0	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	libcrypto3 3.6.2-r3 fixed in 3.6.3-r0	0.4% Theoretical Threat	Not Applicable
CVE-2026-35188	NONE0	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	libssl3 3.6.2-r3 fixed in 3.6.3-r0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.25.9 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.25.9 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.25.9 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.25.9 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-46680	NONE0	github.com/containerd/containerd/v2 v2.3.0 fixed in 2.0.9, 2.2.4, 2.3.1	—	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-46680	NONE0	github.com/containerd/containerd/v2 v2.2.3 fixed in 2.0.9, 2.2.4, 2.3.1	—	Not Applicable