CVE-2021-22553
17.02.2021, 12:15
Any git operation is passed through Jetty and a session is created. No expiry is set for the session and Jetty does not automatically dispose of the session. Over multiple git actions, this can lead to a heap memory exhaustion for Gerrit servers. We recommend upgrading Gerrit to any of the versions listed above.Enginsight
| Vendor | Product | Version |
|---|---|---|
| gerrit | 𝑥 < 2.15.22 | |
| gerrit | 2.16.0 ≤ 𝑥 < 2.16.26 | |
| gerrit | 3.0.0 ≤ 𝑥 < 3.0.16 | |
| gerrit | 3.1.0 ≤ 𝑥 < 3.1.12 | |
| gerrit | 3.2.0 ≤ 𝑥 < 3.2.7 | |
| gerrit | 3.3.0 ≤ 𝑥 < 3.3.2 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-400 - Uncontrolled Resource ConsumptionThe software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
- CWE-772 - Missing Release of Resource after Effective LifetimeThe software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.