CVE-2021-22553

Summary

Any git operation is passed through Jetty and a session is created. No expiry is set for the session and Jetty does not automatically dispose of the session. Over multiple git actions, this can lead to a heap memory exhaustion for Gerrit servers. We recommend upgrading Gerrit to any of the versions listed above.

Affected Software

VendorProductVersion RangeStatus
Google LLCGerritunspecified < 2.15.22affected
Google LLCGerritunspecified < 2.16.26affected
Google LLCGerritunspecified < 3.0.16affected
Google LLCGerritunspecified < 3.1.12affected
Google LLCGerritunspecified < 3.2.7affected
Google LLCGerritunspecified < 3.3.2affected

Weaknesses

  • CWE-400: CWE-400 Uncontrolled Resource Consumption

ADP Enrichment

CVE Program Container

Additional References

References