CVE-2021-22553
Heap Memory exhaustion in Gerrit
In short
Gerrit doesn't automatically clean up sessions created during git operations, allowing them to accumulate in memory. Over time, this exhausts the server's heap memory and can cause the service to crash.
Technical detail
Git operations via Jetty create persistent sessions without expiry configuration; Jetty fails to auto-dispose these sessions, leading to unbounded memory accumulation. An attacker can trigger multiple git actions to exhaust heap memory and cause denial of service. Requires network access to perform git operations against the Gerrit server.
Summary generated and translated by AI from the official description.
Any git operation is passed through Jetty and a session is created. No expiry is set for the session and Jetty does not automatically dispose of the session. Over multiple git actions, this can lead to a heap memory exhaustion for Gerrit servers. We recommend upgrading Gerrit to any of the versions listed above.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected products
Google LLC · GerritWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →