Google Gerrit vulnerabilities
3 known vulnerabilities affecting google/gerrit.
Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH1LOW2
Vulnerabilities
Page 1 of 1
CVE-2021-22553HIGHCVSS 7.5fixed in 2.15.22≥ 2.16.0, < 2.16.26+4 more2021-02-17
CVE-2021-22553 [MEDIUM] CWE-400 CVE-2021-22553: Any git operation is passed through Jetty and a session is created. No expiry is set for the session
Any git operation is passed through Jetty and a session is created. No expiry is set for the session and Jetty does not automatically dispose of the session. Over multiple git actions, this can lead to a heap memory exhaustion for Gerrit servers. We recommend upgrading Gerrit to any of the versions listed above.
nvd
CVE-2020-8920LOWCVSS 3.5≥ 2.14.0, < 2.14.22≥ 2.15.0, < 2.15.21+4 more2020-12-10
CVE-2020-8920 [LOW] CWE-285 CVE-2020-8920: An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.
An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.
nvd
CVE-2020-8919LOWCVSS 3.5≥ 2.15.0, < 2.15.21≥ 2.16.0, < 2.16.25+3 more2020-12-10
CVE-2020-8919 [LOW] CWE-285 CVE-2020-8919: An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.1
An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.
nvd