GHSA-g5q2-cxgq-h2rw

Suggest an improvement
Source
https://github.com/advisories/GHSA-g5q2-cxgq-h2rw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g5q2-cxgq-h2rw/GHSA-g5q2-cxgq-h2rw.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-g5q2-cxgq-h2rw
Aliases
  • CVE-2020-8920
Published
2022-05-24T17:35:58Z
Modified
2024-11-30T05:34:57.371057Z
Summary
Information leak in Gerrit
Details

An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.

Database specific
{
    "nvd_published_at": "2020-12-10T11:15:00Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-09T21:44:57Z"
}
References

Affected packages

Maven / com.google.gerrit:gerrit-plugin-api

Package

Name
com.google.gerrit:gerrit-plugin-api
View open source insights on deps.dev
Purl
pkg:maven/com.google.gerrit/gerrit-plugin-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.14.22

Affected versions

2.*

2.9-rc1
2.9-rc2
2.9
2.9.1
2.9.3
2.9.5
2.10-rc1
2.10-rc2
2.10
2.10.1
2.10.2
2.10.3
2.10.3.1
2.10.4
2.10.5
2.10.6
2.10.7
2.10.8
2.11
2.11.1
2.11.2
2.11.3
2.11.4
2.11.5
2.11.6
2.11.7
2.11.8
2.11.9
2.11.10
2.11.11
2.11.12
2.12-rc0
2.12
2.12.1
2.12.2
2.12.3
2.12.4
2.12.5
2.12.6
2.12.7
2.12.8
2.12.9
2.13-rc1
2.13
2.13.1
2.13.2
2.13.3
2.13.4
2.13.5
2.13.6
2.13.7
2.13.8
2.13.9
2.13.10
2.13.11
2.13.12
2.13.13
2.13.14
2.14-rc0
2.14-rc1
2.14
2.14.1
2.14.2
2.14.3
2.14.4
2.14.5
2.14.5.1
2.14.6
2.14.7
2.14.8
2.14.9
2.14.10
2.14.11
2.14.12
2.14.13
2.14.14
2.14.15
2.14.16
2.14.17
2.14.18
2.14.19
2.14.20
2.14.21

Maven / com.google.gerrit:gerrit-plugin-api

Package

Name
com.google.gerrit:gerrit-plugin-api
View open source insights on deps.dev
Purl
pkg:maven/com.google.gerrit/gerrit-plugin-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.15.0
Fixed
2.15.21

Affected versions

2.*

2.15
2.15.1
2.15.2
2.15.3
2.15.4
2.15.5
2.15.6
2.15.7
2.15.8
2.15.9
2.15.10
2.15.11
2.15.12
2.15.13
2.15.14
2.15.15
2.15.16
2.15.17
2.15.18
2.15.19
2.15.20

Maven / com.google.gerrit:gerrit-plugin-api

Package

Name
com.google.gerrit:gerrit-plugin-api
View open source insights on deps.dev
Purl
pkg:maven/com.google.gerrit/gerrit-plugin-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.16.0
Fixed
2.16.25

Affected versions

2.*

2.16
2.16.1
2.16.2
2.16.3
2.16.4
2.16.5
2.16.6
2.16.7
2.16.8
2.16.9
2.16.10
2.16.11.1
2.16.12
2.16.13
2.16.14
2.16.15
2.16.16
2.16.17
2.16.18
2.16.19
2.16.20
2.16.21
2.16.22
2.16.23
2.16.24

Maven / com.google.gerrit:gerrit-plugin-api

Package

Name
com.google.gerrit:gerrit-plugin-api
View open source insights on deps.dev
Purl
pkg:maven/com.google.gerrit/gerrit-plugin-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.15

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14

Maven / com.google.gerrit:gerrit-plugin-api

Package

Name
com.google.gerrit:gerrit-plugin-api
View open source insights on deps.dev
Purl
pkg:maven/com.google.gerrit/gerrit-plugin-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.10

Affected versions

3.*

3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9

Maven / com.google.gerrit:gerrit-plugin-api

Package

Name
com.google.gerrit:gerrit-plugin-api
View open source insights on deps.dev
Purl
pkg:maven/com.google.gerrit/gerrit-plugin-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.2.0
Fixed
3.2.5

Affected versions

3.*

3.2.0
3.2.1
3.2.2
3.2.3
3.2.4