3.5

CVE-2020-8919

An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GoogleGerrit Version >= 2.15.0 < 2.15.21
GoogleGerrit Version >= 2.16.0 < 2.16.25
GoogleGerrit Version >= 3.0.0 < 3.0.15
GoogleGerrit Version >= 3.1.0 < 3.1.10
GoogleGerrit Version >= 3.2.0 < 3.2.5
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.08% 0.198
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 3.5 2.1 1.4
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov 2.7 5.1 2.9
AV:A/AC:L/Au:S/C:P/I:N/A:N
cve-coordination@google.com 3.5 2.1 1.4
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://www.gerritcodereview.com/3.0.html#3014
Vendor Advisory
Release Notes
https://www.gerritcodereview.com/3.1.html#3110
Vendor Advisory
Release Notes
https://www.gerritcodereview.com/3.2.html#325
Vendor Advisory
Release Notes