CVE-2020-8920

Description

An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.

How to fix CVE-2020-8920

To remediate CVE-2020-8920, upgrade the affected package to a fixed version below.

• Maven/com.google.gerrit:gerrit-plugin-api—upgrade to 2.14.22 or later

Is CVE-2020-8920 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.14.22

References (9)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-8920
• WEBgerrit.googlesource.com/gerrit/+/45071d6977932bca5a1427c8abad24710fed2e33
• WEBissues.gerritcodereview.com/issues/40012986
• WEBwww.gerritcodereview.com/2.14.html#21422
• WEB