CVE-2020-8920 — Improper Authorization in Gerrit

CWE-285 — Improper Authorization CWE-863 — Incorrect Authorization4 documents4 sources

Severity

3.5LOWNVD

EPSS

0.1%

top 77.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gerrit Google Gerrit

Timeline

PublishedDec 10

Latest updateMay 24

Description

An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5gerrit/gerritstable — 2.14.22

▶NVDgoogle/gerrit2.14.0 — 2.14.22+5

Patches

Patch: gerrit.googlesource.com ↗Patch: gerrit.googlesource.com ↗

🔴Vulnerability Details

GHSA

Information leak in Gerrit↗2022-05-24

▶

OSV

Information leak in Gerrit↗2022-05-24

▶

CVEList

Overoptimization leads to private information leak in Gerrit↗2020-12-10

▶