Vulnerability Details CVE-2020-8919
An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 23.7%
CVSS Severity
CVSS v3 Score 3.5
CVSS v2 Score 2.7
References
- https://gerrit.googlesource.com/gerrit/+/0532fb876cb86bc091a91f78e6f28fff9e39ca65
- https://www.gerritcodereview.com/2.15.html#21521
- https://www.gerritcodereview.com/2.16.html#21625
- https://www.gerritcodereview.com/3.0.html#3014
- https://www.gerritcodereview.com/3.1.html#3110
- https://www.gerritcodereview.com/3.2.html#325
- https://gerrit.googlesource.com/gerrit/+/0532fb876cb86bc091a91f78e6f28fff9e39ca65
- https://www.gerritcodereview.com/2.15.html#21521
- https://www.gerritcodereview.com/2.16.html#21625
- https://www.gerritcodereview.com/3.0.html#3014
- https://www.gerritcodereview.com/3.1.html#3110
- https://www.gerritcodereview.com/3.2.html#325
Products affected by CVE-2020-8919
-
cpe:2.3:a:google:gerrit:2.15.1
-
cpe:2.3:a:google:gerrit:2.15.10
-
cpe:2.3:a:google:gerrit:2.15.11
-
cpe:2.3:a:google:gerrit:2.15.12
-
cpe:2.3:a:google:gerrit:2.15.13
-
cpe:2.3:a:google:gerrit:2.15.14
-
cpe:2.3:a:google:gerrit:2.15.15
-
cpe:2.3:a:google:gerrit:2.15.16
-
cpe:2.3:a:google:gerrit:2.15.17
-
cpe:2.3:a:google:gerrit:2.15.18
-
cpe:2.3:a:google:gerrit:2.15.19
-
cpe:2.3:a:google:gerrit:2.15.2
-
cpe:2.3:a:google:gerrit:2.15.20
-
cpe:2.3:a:google:gerrit:2.15.3
-
cpe:2.3:a:google:gerrit:2.15.4
-
cpe:2.3:a:google:gerrit:2.15.5
-
cpe:2.3:a:google:gerrit:2.15.6
-
cpe:2.3:a:google:gerrit:2.15.7
-
cpe:2.3:a:google:gerrit:2.15.8
-
cpe:2.3:a:google:gerrit:2.15.9
-
cpe:2.3:a:google:gerrit:2.16.1
-
cpe:2.3:a:google:gerrit:2.16.10
-
cpe:2.3:a:google:gerrit:2.16.11.1
-
cpe:2.3:a:google:gerrit:2.16.12
-
cpe:2.3:a:google:gerrit:2.16.13
-
cpe:2.3:a:google:gerrit:2.16.14
-
cpe:2.3:a:google:gerrit:2.16.15
-
cpe:2.3:a:google:gerrit:2.16.16
-
cpe:2.3:a:google:gerrit:2.16.17
-
cpe:2.3:a:google:gerrit:2.16.18
-
cpe:2.3:a:google:gerrit:2.16.19
-
cpe:2.3:a:google:gerrit:2.16.2
-
cpe:2.3:a:google:gerrit:2.16.20
-
cpe:2.3:a:google:gerrit:2.16.21
-
cpe:2.3:a:google:gerrit:2.16.22
-
cpe:2.3:a:google:gerrit:2.16.23
-
cpe:2.3:a:google:gerrit:2.16.24
-
cpe:2.3:a:google:gerrit:2.16.3
-
cpe:2.3:a:google:gerrit:2.16.4
-
cpe:2.3:a:google:gerrit:2.16.5
-
cpe:2.3:a:google:gerrit:2.16.6
-
cpe:2.3:a:google:gerrit:2.16.7
-
cpe:2.3:a:google:gerrit:2.16.8
-
cpe:2.3:a:google:gerrit:2.16.9
-
cpe:2.3:a:google:gerrit:3.0.0
-
cpe:2.3:a:google:gerrit:3.0.1
-
cpe:2.3:a:google:gerrit:3.0.10
-
cpe:2.3:a:google:gerrit:3.0.11
-
cpe:2.3:a:google:gerrit:3.0.12
-
cpe:2.3:a:google:gerrit:3.0.13
-
cpe:2.3:a:google:gerrit:3.0.14
-
cpe:2.3:a:google:gerrit:3.0.2
-
cpe:2.3:a:google:gerrit:3.0.3
-
cpe:2.3:a:google:gerrit:3.0.4
-
cpe:2.3:a:google:gerrit:3.0.5
-
cpe:2.3:a:google:gerrit:3.0.6
-
cpe:2.3:a:google:gerrit:3.0.7
-
cpe:2.3:a:google:gerrit:3.0.8
-
cpe:2.3:a:google:gerrit:3.0.9
-
cpe:2.3:a:google:gerrit:3.1.0
-
cpe:2.3:a:google:gerrit:3.1.1
-
cpe:2.3:a:google:gerrit:3.1.2
-
cpe:2.3:a:google:gerrit:3.1.3
-
cpe:2.3:a:google:gerrit:3.1.4
-
cpe:2.3:a:google:gerrit:3.1.5
-
cpe:2.3:a:google:gerrit:3.1.6
-
cpe:2.3:a:google:gerrit:3.1.7
-
cpe:2.3:a:google:gerrit:3.1.8
-
cpe:2.3:a:google:gerrit:3.1.9
-
cpe:2.3:a:google:gerrit:3.2.0
-
cpe:2.3:a:google:gerrit:3.2.1
-
cpe:2.3:a:google:gerrit:3.2.2
-
cpe:2.3:a:google:gerrit:3.2.3
-
cpe:2.3:a:google:gerrit:3.2.4