Gerrit Google Gerrit

Do you want an email whenever new security vulnerabilities are reported in Google Gerrit?

By the Year

In 2021 there have been 1 vulnerability in Google Gerrit with an average score of 7.5 out of ten. Last year Gerrit had 2 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Gerrit in 2021 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2021 is greater by 4.00.

Year Vulnerabilities Average Score
2021 1 7.50
2020 2 3.50
2019 0 0.00
2018 0 0.00

It may take a day or so for new Gerrit vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest Google Gerrit Security Vulnerabilities

Any git operation is passed through Jetty and a session is created

CVE-2021-22553 7.5 - High - February 17, 2021

Any git operation is passed through Jetty and a session is created. No expiry is set for the session and Jetty does not automatically dispose of the session. Over multiple git actions, this can lead to a heap memory exhaustion for Gerrit servers. We recommend upgrading Gerrit to any of the versions listed above.

Resource Exhaustion

An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API

CVE-2020-8919 3.5 - Low - December 10, 2020

An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.

AuthZ

An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories

CVE-2020-8920 3.5 - Low - December 10, 2020

An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.

AuthZ

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Google Gerrit or by Google? Click the Watch button to subscribe.

subscribe