CVE Daily
← All tags

Tag: Gerrit

All CVEs associated with "Gerrit". Page 1/1 • 15 CVEs.

About “Gerrit”

A curated feed of “Gerrit”-related CVEs appears below. We currently track 15 CVEs for this tag (all time). In the last 365 days, 1 were published. Average CVSS is 6.0 (all time; 6.0 over 365d), and 20% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-863 - Incorrect Authorization.

In our taxonomy this topic maps to a LOW impact class. Developer and CI or CD tooling touches supply chains and secrets. Patch controllers and agents, enforce SSO or MFA, rotate tokens, isolate runners, and audit plugins. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: gerrit

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestEOLLTS
3.143.14.0-
3.133.13.6-
3.123.12.7-
3.113.11.11 Expired
3.103.10.9 Expired
3.93.9.11 Expired
3.83.8.10 Expired
3.73.7.9 Expired
3.63.6.8 Expired
3.53.5.6 Expired
3.43.4.8 Expired
3.33.3.11 Expired
3.23.2.14 Expired
3.13.1.16 Expired
3.03.0.16 Expired
2.162.16.28 Expired
2.152.15.22 Expired
2.142.14.22 Expired
2.132.13.14- Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Gerrit”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-13
Medium

CVE-2026-2725

Incorrect authorization in the "submitted together" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch to bypass code review…

CVSS: 6.0 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-04-16
High

CVE-2025-1568

Access Control Vulnerability in Gerrit chromiumos project configuration in Google ChromeOS 16063.87.0 allows an attacker with a registered Gerrit account to inject malicious code into ChromeOS projec…

CVSS: 8.8 CWE: CWE-284 - Improper Access Control View on NVD
2023-01-26
Medium

CVE-2023-24423

A cross-site request forgery (CSRF) vulnerability in Jenkins Gerrit Trigger Plugin 2.38.0 and earlier allows attackers to rebuild previous builds triggered by Gerrit.

CVSS: 6.5 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2022-12-12
Medium

CVE-2022-46688

A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jen…

CVSS: 6.5 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2022-04-12
Medium

CVE-2022-29039

Jenkins Gerrit Trigger Plugin 2.35.2 and earlier does not escape the name and description of Base64 Encoded String parameters on views displaying parameters, resulting in a stored cross-site scriptin…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-02-17
Medium

CVE-2021-22553

Any git operation is passed through Jetty and a session is created. No expiry is set for the session and Jetty does not automatically dispose of the session. Over multiple git actions, this can lead…

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2020-12-10
Low

CVE-2020-8920

An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verificat…

CVSS: 3.5 CWE: CWE-285 - Improper Authorization View on NVD
Low

CVE-2020-8919

An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the defau…

CVSS: 3.5 CWE: CWE-285 - Improper Authorization View on NVD
2019-12-17
Medium

CVE-2019-16552

A missing permission check in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL or SSH server using attacker-…

CVSS: 5.4 CWE: CWE-276 - Incorrect Default Permissions View on NVD
High

CVE-2019-16551

A cross-site request forgery vulnerability in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers to connect to an attacker-specified HTTP URL or SSH server using attacker-specified cre…

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2019-10-23
Medium

CVE-2019-10467

Jenkins Sonar Gerrit Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file…

CVSS: 6.5 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2018-03-13
Medium

CVE-2018-1000106

An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with Overal…

CVSS: 5.4 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2018-1000105

An improper authorization vulnerability exists in Jenkins Gerrit Trigger Plugin 2.27.4 and earlier in GerritManagement.java, GerritServer.java, and PluginImpl.java that allows an attacker with Overal…

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
2017-01-12
Medium

CVE-2016-5737

The Gerrit configuration in the Openstack Puppet module for Gerrit (aka puppet-gerrit) improperly marks text/html as a safe mimetype, which might allow remote attackers to conduct cross-site scriptin…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2006-07-25
High

CVE-2006-3832

SQL injection vulnerability in index.php in Gerrit van Aaken Loudblog 0.5 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVSS: 7.5 CWE: N/A View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox