3.5

CVE-2020-8920

An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GoogleGerrit Version >= 2.14.0 < 2.14.22
GoogleGerrit Version >= 2.15.0 < 2.15.21
GoogleGerrit Version >= 2.16.0 < 2.16.25
GoogleGerrit Version >= 3.0.0 < 3.0.15
GoogleGerrit Version >= 3.1.0 < 3.1.10
GoogleGerrit Version >= 3.2.0 < 3.2.5
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.08% 0.198
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 3.5 2.1 1.4
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov 2.7 5.1 2.9
AV:A/AC:L/Au:S/C:P/I:N/A:N
cve-coordination@google.com 3.5 2.1 1.4
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

https://www.gerritcodereview.com/3.0.html#3014
Vendor Advisory
Release Notes
https://www.gerritcodereview.com/3.1.html#3110
Vendor Advisory
Release Notes
https://www.gerritcodereview.com/3.2.html#325
Vendor Advisory
Release Notes