Overoptimization leads to private information leak in Gerrit
CVE-2020-8920

3.5LOW

Key Information:

Vendor

Gerrit

Status
Gerrit
Vendor
CVE Published:
10 December 2020

What is CVE-2020-8920?

An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.

Affected Version(s)

Gerrit stable < 2.14.22

References

https://www.gerritcodereview.com/2.15.html#21521
x_refsource_CONFIRM
https://www.gerritcodereview.com/2.16.html#21625
x_refsource_CONFIRM
https://www.gerritcodereview.com/3.0.html#3014
x_refsource_CONFIRM

CVSS V3.1

Score:
3.5
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.