3.5

CVE-2020-8920

Overoptimization leads to private information leak in Gerrit

An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GoogleGerrit Version >= 2.14.0 < 2.14.22
GoogleGerrit Version >= 2.15.0 < 2.15.21
GoogleGerrit Version >= 2.16.0 < 2.16.25
GoogleGerrit Version >= 3.0.0 < 3.0.15
GoogleGerrit Version >= 3.1.0 < 3.1.10
GoogleGerrit Version >= 3.2.0 < 3.2.5
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.37% 0.284
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 3.5 2.1 1.4
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov 2.7 5.1 2.9
AV:A/AC:L/Au:S/C:P/I:N/A:N
cve-coordination@google.com 3.5 2.1 1.4
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

https://www.gerritcodereview.com/2.15.html#21521
Vendor Advisory
Release Notes
https://www.gerritcodereview.com/2.16.html#21625
Vendor Advisory
Release Notes
https://www.gerritcodereview.com/3.0.html#3014
Vendor Advisory
Release Notes
https://www.gerritcodereview.com/3.1.html#3110
Vendor Advisory
Release Notes
https://www.gerritcodereview.com/3.2.html#325
Vendor Advisory
Release Notes
https://gerrit.googlesource.com/gerrit/+/45071d6977932bca5a1427c8abad24710fed2e33
Patch
Vendor Advisory
Issue Tracking
https://www.gerritcodereview.com/2.14.html#21422
Vendor Advisory
Release Notes