Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nNXEyLWN4Z3EtaDJyd84AAm1i
Information leak in Gerrit
An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.
Permalink: https://github.com/advisories/GHSA-g5q2-cxgq-h2rwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNXEyLWN4Z3EtaDJyd84AAm1i
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
Identifiers: GHSA-g5q2-cxgq-h2rw, CVE-2020-8920
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-8920
- https://gerrit.googlesource.com/gerrit/+/45071d6977932bca5a1427c8abad24710fed2e33
- https://www.gerritcodereview.com/2.14.html#21422
- https://www.gerritcodereview.com/2.15.html#21521
- https://www.gerritcodereview.com/2.16.html#21625
- https://www.gerritcodereview.com/3.1.html#3110
- https://www.gerritcodereview.com/3.2.html#325
- https://issues.gerritcodereview.com/issues/40012986
- https://www.gerritcodereview.com/3.0.html#3015
- https://github.com/advisories/GHSA-g5q2-cxgq-h2rw
Affected Packages
maven:com.google.gerrit:gerrit-plugin-api
Dependent packages: 7Dependent repositories: 63
Downloads:
Affected Version Ranges: >= 3.2.0, < 3.2.5, >= 3.1.0, < 3.1.10, >= 3.0.0, < 3.0.15, >= 2.16.0, < 2.16.25, >= 2.15.0, < 2.15.21, < 2.14.22
Fixed in: 3.2.5, 3.1.10, 3.0.15, 2.16.25, 2.15.21, 2.14.22
All affected versions: 2.9.1, 2.9.3, 2.9.5, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.6, 2.10.7, 2.10.8, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.11.7, 2.11.8, 2.11.9, 2.11.10, 2.11.11, 2.11.12, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.5, 2.12.6, 2.12.7, 2.12.8, 2.12.9, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.13.6, 2.13.7, 2.13.8, 2.13.9, 2.13.10, 2.13.11, 2.13.12, 2.13.13, 2.13.14, 2.14.1, 2.14.2, 2.14.3, 2.14.4, 2.14.5, 2.14.6, 2.14.7, 2.14.8, 2.14.9, 2.14.10, 2.14.11, 2.14.12, 2.14.13, 2.14.14, 2.14.15, 2.14.16, 2.14.17, 2.14.18, 2.14.19, 2.14.20, 2.14.21, 2.15.1, 2.15.2, 2.15.3, 2.15.4, 2.15.5, 2.15.6, 2.15.7, 2.15.8, 2.15.9, 2.15.10, 2.15.11, 2.15.12, 2.15.13, 2.15.14, 2.15.15, 2.15.16, 2.15.17, 2.15.18, 2.15.19, 2.15.20, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 2.16.6, 2.16.7, 2.16.8, 2.16.9, 2.16.10, 2.16.12, 2.16.13, 2.16.14, 2.16.15, 2.16.16, 2.16.17, 2.16.18, 2.16.19, 2.16.20, 2.16.21, 2.16.22, 2.16.23, 2.16.24, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4
All unaffected versions: 2.15.21, 2.15.22, 2.16.25, 2.16.26, 2.16.27, 2.16.28, 3.0.15, 3.0.16, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.7.6, 3.7.7, 3.7.8, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4