3.5
CVE-2020-8920
- EPSS 0.37%
- Veröffentlicht 10.12.2020 11:15:11
- Zuletzt bearbeitet 21.11.2024 05:39:41
- Quelle cve-coordination@google.com
- CVE-Watchlists
- Unerledigt
Overoptimization leads to private information leak in Gerrit
An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.37% | 0.284 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 3.5 | 2.1 | 1.4 |
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
| nvd@nist.gov | 2.7 | 5.1 | 2.9 |
AV:A/AC:L/Au:S/C:P/I:N/A:N
|
| cve-coordination@google.com | 3.5 | 2.1 | 1.4 |
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
CWE-285 Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
https://www.gerritcodereview.com/2.15.html#21521
https://www.gerritcodereview.com/2.16.html#21625
https://www.gerritcodereview.com/3.0.html#3014
https://www.gerritcodereview.com/3.1.html#3110
https://www.gerritcodereview.com/3.2.html#325
https://gerrit.googlesource.com/gerrit/+/45071d6977932bca5a1427c8abad24710fed2e33
https://www.gerritcodereview.com/2.14.html#21422