CVE-2020-8920
low-risk
Published 2020-12-10
An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.
Do I need to act?
-
0.08% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.5/10
Low
ADJACENT_NETWORK
/ LOW complexity
Affected Products (1)
Gerrit
Affected Vendors
References (14)
Release Notes
https://www.gerritcodereview.com/2.14.html#21422
Release Notes
https://www.gerritcodereview.com/2.15.html#21521
Release Notes
https://www.gerritcodereview.com/2.16.html#21625
Release Notes
https://www.gerritcodereview.com/3.0.html#3014
Release Notes
https://www.gerritcodereview.com/3.1.html#3110
Release Notes
https://www.gerritcodereview.com/3.2.html#325
Release Notes
https://www.gerritcodereview.com/2.14.html#21422
Release Notes
https://www.gerritcodereview.com/2.15.html#21521
Release Notes
https://www.gerritcodereview.com/2.16.html#21625
Release Notes
https://www.gerritcodereview.com/3.0.html#3014
Release Notes
https://www.gerritcodereview.com/3.1.html#3110
Release Notes
https://www.gerritcodereview.com/3.2.html#325
18
/ 100
low-risk
Severity
13/34 · Low
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal