CVE-2020-8919

EPSS 0.08%
Published 10.12.2020 11:15:11
Last modified 21.11.2024 05:39:41
Source cve-coordination@google.com
Teams watchlist Login
Open Login

An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.

Affected products Warnungen 0 Metrics 4 CWE 2 References 9

Data is provided by the National Vulnerability Database (NVD)

Google ≫ Gerrit Version >= 2.15.0 < 2.15.21

Google ≫ Gerrit Version >= 2.16.0 < 2.16.25

Google ≫ Gerrit Version >= 3.0.0 < 3.0.15

Google ≫ Gerrit Version >= 3.1.0 < 3.1.10

Google ≫ Gerrit Version >= 3.2.0 < 3.2.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.08%	0.198

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	3.5	2.1	1.4	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	2.7	5.1	2.9	AV:A/AC:L/Au:S/C:P/I:N/A:N
cve-coordination@google.com	3.5	2.1	1.4	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://gerrit.googlesource.com/gerrit/+/0532fb876cb86bc091a91f78e6f28fff9e39ca65

Patch

Vendor Advisory

Issue Tracking

https://www.gerritcodereview.com/2.15.html#21521

Vendor Advisory

Release Notes

https://www.gerritcodereview.com/2.16.html#21625

Vendor Advisory

Release Notes

https://www.gerritcodereview.com/3.0.html#3014

Vendor Advisory