Vulnerability Reportconcourse/concourse:8.2.3

concourse/concourse:8.2.3

DIGESTsha256:aeaf17cb57389f7bc4176d2714519eab6c9c668fe67553849b9b18dbb04a3b31

Executive Summary

Threat ScoreDANGEROUS• Critical vulnerability CVE-2020-5415 (severity 10.0) enables identity spoofing via GitLab auth, leading to unauthorized team access.• 33 exposed vulnerabilities found, with one at maximum severity and high context importance.• Concourse is a gatekeeper for CI/CD pipelines; compromised authentication can lead to supply chain attacks.• Despite high community reputation (88M+ pulls), the severity of the top finding dictates a DANGEROUS verdict.

75/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (88M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker exploiting CVE-2020-5415 could spoof identity via the GitLab auth connector, gaining unauthorized access to Concourse teams. Note: this vulnerability only applies if the GitLab auth module is enabled; however, if enabled, the risk is severe. Immediate remediation by upgrading the dex library is mandatory.

Vulnerabilities

Vulnerability Log

50 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2020-5415	CRITICAL10	github.com/concourse/dex v1.14.0 fixed in 6.4.1, 6.3.1, 0.0.0-20200730150203-821b48abfd88	1.2% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.6.2-r5 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.6.2-r5 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.6.2-r5 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.6.2-r5 fixed in 3.6.3-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33811	MEDIUM5.1	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33814	MEDIUM5.1	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-9076	MEDIUM5.02	libssl3 3.6.2-r5 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.6.2-r5 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.6.2-r5 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39826	MEDIUM4.59	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.6.2-r5 fixed in 3.6.3-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.6.2-r5 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.6.2-r5 fixed in 3.6.3-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.6.2-r5 fixed in 3.6.3-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42507	MEDIUM4.5	stdlib v1.26.3 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42507	MEDIUM4.5	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.6.2-r5 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.6.2-r5 fixed in 3.6.3-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libcrypto3 3.6.2-r5 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.6.2-r5 fixed in 3.6.3-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45447	LOW2.92	libcrypto3 3.6.2-r5 fixed in 3.6.3-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	libssl3 3.6.2-r5 fixed in 3.6.3-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45445	LOW2.78	libcrypto3 3.6.2-r5 fixed in 3.6.3-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3 3.6.2-r5 fixed in 3.6.3-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	libcrypto3 3.6.2-r5 fixed in 3.6.3-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	libssl3 3.6.2-r5 fixed in 3.6.3-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-39820	LOW2.29	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Post-Exploit
CVE-2026-39836	LOW2.29	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	libcrypto3 3.6.2-r5 fixed in 3.6.3-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	libssl3 3.6.2-r5 fixed in 3.6.3-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42764	LOW1.81	libcrypto3 3.6.2-r5 fixed in 3.6.3-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-42769	LOW1.81	libcrypto3 3.6.2-r5 fixed in 3.6.3-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW1.81	libcrypto3 3.6.2-r5 fixed in 3.6.3-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-9076	LOW1.81	libcrypto3 3.6.2-r5 fixed in 3.6.3-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42764	LOW1.81	libssl3 3.6.2-r5 fixed in 3.6.3-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-42769	LOW1.81	libssl3 3.6.2-r5 fixed in 3.6.3-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW1.81	libssl3 3.6.2-r5 fixed in 3.6.3-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-35188	NONE0	libcrypto3 3.6.2-r5 fixed in 3.6.3-r0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	libcrypto3 3.6.2-r5 fixed in 3.6.3-r0	0.4% Theoretical Threat	Not Applicable
CVE-2026-35188	NONE0	libssl3 3.6.2-r5 fixed in 3.6.3-r0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42765	NONE0	libssl3 3.6.2-r5 fixed in 3.6.3-r0	0.4% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.3 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.3 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-46680	NONE0	github.com/containerd/containerd/v2 v2.2.3 fixed in 2.0.9, 2.2.4, 2.3.1	—	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable