CVE-2020-8920

low

Description

An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.

References

https://www.gerritcodereview.com/3.2.html#325

https://www.gerritcodereview.com/3.1.html#3110

https://www.gerritcodereview.com/3.0.html#3014

https://www.gerritcodereview.com/2.16.html#21625

https://www.gerritcodereview.com/2.15.html#21521

https://www.gerritcodereview.com/2.14.html#21422

https://gerrit.googlesource.com/gerrit/+/45071d6977932bca5a1427c8abad24710fed2e33

Details

Source: Mitre, NVD

Published: 2020-12-10

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 2.7

Vector: CVSS2#AV:A/AC:L/Au:S/C:P/I:N/A:N

Severity: Low

CVSS v3

Base Score: 3.5

Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Severity: Low

EPSS

EPSS: 0.00076