CVE-2020-8919

Information leakage in Gerrit

Description

An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.

References

Link	Tags
https://gerrit.googlesource.com/gerrit/+/0532fb876cb86bc091a91f78e6f28fff9e39ca65	issue tracking patch vendor advisory
https://www.gerritcodereview.com/2.15.html#21521	release notes vendor advisory
https://www.gerritcodereview.com/2.16.html#21625	release notes vendor advisory
https://www.gerritcodereview.com/3.0.html#3014	release notes vendor advisory
https://www.gerritcodereview.com/3.1.html#3110	release notes vendor advisory
https://www.gerritcodereview.com/3.2.html#325	release notes vendor advisory

Frequently Asked Questions

What is the severity of CVE-2020-8919?: CVE-2020-8919 has been scored as a low severity vulnerability.
How to fix CVE-2020-8919?: To fix CVE-2020-8919, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-8919 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2020-8919 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-8919?: CVE-2020-8919 affects Gerrit Gerrit.

Description

Categories

CWE-285 – Improper Authorization

CWE-863 – Incorrect Authorization

References

Frequently Asked Questions