Gerrit Incorrect Authorization Vulnerability in 'Submitted Together' Feature Allowing Code Submission Bypass

A vulnerability exists in Gerrit versions 2.12 and later, specifically within the 'submitted together' feature. This issue allows an authenticated attacker with force push permissions on a secondary branch to bypass code review processes and forcibly submit code to restricted branches. The exploitation involves crafting a submission that aligns with the 'topic' tag of an unapproved change.

Impact

Exploitation of this vulnerability enables an attacker to force-merge any visible change they can read, bypassing all standard submission requirements such as code review approvals and continuous integration checks. This results in unreviewed and unapproved code being merged into the target branch.

Reproduction

The vulnerability can be reproduced by an authenticated user with direct push and 'submit whole topic' permissions. The attacker must have read access to a victim's change that is open and unapproved, and the Gerrit server must have 'change.submitWholeTopic' enabled. The attacker can then push a change with the same topic as the victim's unapproved change, using the '%submit' option to force the merge, which will bypass all review requirements.

Remediation

Users can update to Gerrit versions 3.11.9, 3.12.5, or 3.13.4, where this vulnerability has been fixed. For installations on versions 2.12.0 up to 3.11.7, the 'change.submitWholeTopic' feature can be disabled as a reliable mitigation.