PT-2020-20370 · Google · Gerrit
Luca Milanesio
·
Published
2020-12-10
·
Updated
2022-05-24
·
CVE-2020-8920
CVSS v3.1
3.5
Low
| Vector | AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Gerrit versions prior to 2.14.22
Gerrit versions prior to 2.15.21
Gerrit versions prior to 2.16.25
Gerrit versions prior to 3.0.15
Gerrit versions prior to 3.1.10
Gerrit versions prior to 3.2.5
Description
An information leak issue exists where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.
Recommendations
For versions prior to 2.14.22, update to version 2.14.22 or later.
For versions prior to 2.15.21, update to version 2.15.21 or later.
For versions prior to 2.16.25, update to version 2.16.25 or later.
For versions prior to 3.0.15, update to version 3.0.15 or later.
For versions prior to 3.1.10, update to version 3.1.10 or later.
For versions prior to 3.2.5, update to version 3.2.5 or later.
Fix
Improper Authorization
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Gerrit