CVE-2020-8919

CWE-285 CWE-863 — Incorrect Authorization3 documents3 sources

Severity

3.5LOW

EPSS

0.1%

top 77.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gerrit Gerrit Google Gerrit

Timeline

PublishedDec 10

Latest updateMay 24

Description

An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5gerrit/gerritstable — 2.15.21

▶NVDgoogle/gerrit2.15.0 — 2.15.21+4

Patches

Patch: gerrit.googlesource.com ↗Patch: gerrit.googlesource.com ↗

🔴Vulnerability Details

GHSA

GHSA-xh5j-7f7g-7g5c: An information leak vulnerability exists in Gerrit versions prior to 2↗2022-05-24

▶

CVEList

Information leakage in Gerrit↗2020-12-10

▶