SonarQube Jenkins Plugin - Plain Text Password

🗓️ 18 Dec 2013 00:00:00Reported by Christian CatalanoType

Jenkins SonarQube Plugin Plain Text Password Vulnerability in Jenkins C

Reporter	Title	Published	Views	Family All 13
CVE	CVE-2013-5676	13 Dec 201317:00	–	cve
Cvelist	CVE-2013-5676	13 Dec 201317:00	–	cvelist
EUVD	EUVD-2013-5514	7 Oct 202500:30	–	euvd
exploitpack	SonarQube Jenkins Plugin - Plain Text Password	18 Dec 201300:00	–	exploitpack
Github Security Blog	Jenkins SonarQube Plugin Stores Passwords in Cleartext	17 May 202204:56	–	github
NVD	CVE-2013-5676	13 Dec 201318:55	–	nvd
OSV	GHSA-3X9H-3P7M-33M7 Jenkins SonarQube Plugin Stores Passwords in Cleartext	17 May 202204:56	–	osv
Packet Storm	SonarQube Jenkins Password Disclosure	13 Aug 201600:00	–	packetstorm
Prion	Design/Logic Flaw	13 Dec 201318:55	–	prion
securityvulns	[CVE-2013-5676] Plain Text Password In SonarQube Jenkins Plugin	9 Jan 201400:00	–	securityvulns

###################################################

1. ###  Advisory Information ###

Title: SonarQube Jenkins Plugin - Plain Text Password
Date published: 2013-12-05
Date of last update: 2013-12-05
Vendors contacted: SonarQube and Jenkins CI
Discovered by: Christian Catalano
Severity: High


2. ###  Vulnerability Information ###

CVE reference     : CVE-2013-5676
CVSS v2 Base Score: 9.0
CVSS v2 Vector    : (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Component/s       : Jenkins SonarQube Plugin
Class             : plain text password


3. ### Introduction ###

Jenkins CI is an extendable open source continuous integration server
http://jenkins-ci.org.

Jenkins SonarQube Plugin  allows you to trigger SonarQube analysis
from Jenkins CI using either a:

- Build step to trigger the analysis with the SonarQube Runner
- Post-build action to trigger the analysis with Maven

http://docs.codehaus.org/display/SONAR/Jenkins+Plugin


4. ### Vulnerability Description ###

The default installation and configuration of Jenkins SonarQube Plugin
in Jenkins CI is prone to a security vulnerability.

This vulnerability could be exploited by a remote attacker (a jenkins
malicious user with Manage Jenkins enabled) to obtain the SonarQube's
credentials.


5. ### Technical Description / Proof of Concept Code ###

Below is a harmless test that can be executed to check if a Jenkins
SonarQube Plugin installation is vulnerable.

Using a browser with a web proxy go to the following URL:

https://jenkinsserver:9444/jenkins/configure

check the parameter "sonar.sonarPassword" in Sonar installations section.

A vulnerable installation will show the password in plain text.


6. ### Business Impact ###

An attacker (a jenkins malicious user with Manage Jenkins enabled) can
obtain the SonarQube's credentials.


7. ### Systems Affected ###

This vulnerability was tested against:
Jenkins CI v1.523 and SonarQube Plugin v3.7
Older versions are probably affected too, but they were not checked.


8. ### Vendor Information, Solutions and Workarounds ###

There is the ability to encrypt the "sonar.password" property with the
SonarQube encryption mechanism:

http://docs.codehaus.org/display/SONAR/Settings+Encryption

The sonar.password property is only encryptable since SonarQube v3.7


9. ### Credits ###

This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com


10. ### Vulnerability History ###

August   21th, 2013: Vulnerability identification
September 4th, 2013: Vendor notification [Jenkins CI]
November 19th, 2013: Vulnerability confirmation [Jenkins CI]
November 29th, 2013: Vendor notification [SonarQube]
December  2nd, 2013: Vendor solution [SonarQube]
December  6th, 2013: Vulnerability disclosure


11. ### Disclaimer ###

The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse
of this information.

###################################################

18 Dec 2013 00:00Current

6.6Medium risk

Vulners AI Score6.6

CVSS 24

EPSS0.05307