Skip to content

Information leak in Gerrit

Low severity GitHub Reviewed Published May 24, 2022 to the GitHub Advisory Database • Updated Jan 9, 2024

Package

maven com.google.gerrit:gerrit-plugin-api (Maven)

Affected versions

< 2.14.22
>= 2.15.0, < 2.15.21
>= 2.16.0, < 2.16.25
>= 3.0.0, < 3.0.15
>= 3.1.0, < 3.1.10
>= 3.2.0, < 3.2.5

Patched versions

2.14.22
2.15.21
2.16.25
3.0.15
3.1.10
3.2.5

Description

An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.

References

Published by the National Vulnerability Database Dec 10, 2020
Published to the GitHub Advisory Database May 24, 2022
Reviewed Jan 9, 2024
Last updated Jan 9, 2024

Severity

Low

EPSS score

0.064%
(30th percentile)

Weaknesses

CVE ID

CVE-2020-8920

GHSA ID

GHSA-g5q2-cxgq-h2rw

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.