Vulnerabilities > CVE-2020-8919 - Incorrect Authorization vulnerability in Google Gerrit
Attack vector
ADJACENT_NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
LOW Integrity impact
NONE Availability impact
NONE Summary
An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://gerrit.googlesource.com/gerrit/+/0532fb876cb86bc091a91f78e6f28fff9e39ca65
- https://gerrit.googlesource.com/gerrit/+/0532fb876cb86bc091a91f78e6f28fff9e39ca65
- https://www.gerritcodereview.com/2.15.html#21521
- https://www.gerritcodereview.com/2.15.html#21521
- https://www.gerritcodereview.com/2.16.html#21625
- https://www.gerritcodereview.com/2.16.html#21625
- https://www.gerritcodereview.com/3.0.html#3014
- https://www.gerritcodereview.com/3.0.html#3014
- https://www.gerritcodereview.com/3.1.html#3110
- https://www.gerritcodereview.com/3.1.html#3110
- https://www.gerritcodereview.com/3.2.html#325
- https://www.gerritcodereview.com/3.2.html#325