Gerrit

Enabling git protocol v2 in Gerrit 2.16 makes all refs visible to all users, regardless of the ACL configuration, giving an attacker the complete access to of all branches, tags and meta-data refs, their associated commit SHA1s and the ability to fetch them locally.

Confidentiality Impact (High. Providing the full list of refs to any user that has access to the repository could disclose sensitive and confidential information to unauthorized users)
Integrity Impact: None.
Availability Impact: None.
Access Complexity: Low. (It is enough to have the ability to access one repository to have access to all refs)
Authentication: Single system. (The vulnerability requires an attacker to be registered and have access into the system using the Git protocol)
Gained Access: None.

Description:
The Git protocol v2 is flagged as experimental and not available by default in Gerrit v2.16 and not implemented in earlier versions. However, if explicitly enabled in the gerrit.config, allows any user that has access to a project to list and fetch any refs associated to it, regardless of its actual access permissions.
Gerrit ACLs are enforced using the JGit's AdvertiseRefsHook which calls RefFilter. The AdvertiseRefsHook is usually set by UploadPack.setAdvertiseRefsHook but, if Gerrit has the protocol v2 enabled in the gerrit.config and the client is leveraging the git protocol v2 feature, the hook is not invoked.
As a result of these Gerrit permissions defined in the ACLs are entirely ignored, and every user can see the names and associated SHA1s of all refs from a git client using 'git fetch' and 'git ls-remote'.

Remediation:
On Gerrit v2.16 and v2.16.1, disable any reference to the Git protocol v2, if configured enabled in the gerrit.config.

Example:
[receive]
  enableProtocolV2 = false

Upgrade to v2.16.2 whenever possible, where the Git protocol v2 is always disabled.