137 matches found
sonar-wrapper Command Injection vulnerability
A command injection vulnerability affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js...
GHSA-WR4V-3F2H-6HHH sonar-wrapper Command Injection vulnerability
A command injection vulnerability affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js...
CVE-2020-28443 Command Injection
This affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js...
CVE-2020-28443
CVE-2020-28443 affects all versions of the Node package sonar-wrapper, with the injection point in lib/sonarRunner.js. The vulnerability is a Command Injection flaw, allowing crafted input to be injected into system commands (high impact: CVSS 3.1 base score 9.8). Connected sources confirm the vu...
Malicious code in route-sonar (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0e7e8e14e7b5534cc30736a69538701a587fe3db0ac921df08e55a9c1e571fc7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2022-5845 Malicious code in route-sonar (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0e7e8e14e7b5534cc30736a69538701a587fe3db0ac921df08e55a9c1e571fc7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
sonar-wrapper 命令注入漏洞
sonar-wrapper is a package by loic rondel individual developer that wraps SonarQube Scanner as a node module. A security vulnerability exists in sonar-wrapper, which stems from a command injection attack injection point in sonarRunner.js...
Malicious Package
Overview route-sonar is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package was...
Jenkins Sonar Quality Gates Plugin transmits credentials in plain text during configuration
Sonar Quality Gates Plugin stores credentials in its global configuration file org.quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the...
GHSA-6FH3-XHWG-7HFH Jenkins Sonar Quality Gates Plugin transmits credentials in plain text during configuration
Sonar Quality Gates Plugin stores credentials in its global configuration file org.quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the...
org.jenkins-ci.plugins:gerrit-verify-status-reporter (>=0.0.2 <=0.0.3), org.jenkins-ci.plugins:msginject (>=0.1.0 <=0.1.1) +1 more potentially affected by CVE-2019-16552 via com.sonyericsson.hudson.plugins.gerrit:gerrit-trigger (>=2.14.0 <=2.22.0)
com.sonyericsson.hudson.plugins.gerrit:gerrit-trigger MAVEN version =2.14.0, =0.0.2, =0.1.0, =1.0, =2.4.6 Source cves: CVE-2019-16552 Source advisory: OSV:GHSA-4R39-F4RH-J6Q8...
org.jenkins-ci.plugins:gerrit-verify-status-reporter (>=0.0.2 <=0.0.3), org.jenkins-ci.plugins:msginject (>=0.1.0 <=0.1.1) +1 more potentially affected by CVE-2019-16551 via com.sonyericsson.hudson.plugins.gerrit:gerrit-trigger (>=2.14.0 <=2.22.0)
com.sonyericsson.hudson.plugins.gerrit:gerrit-trigger MAVEN version =2.14.0, =0.0.2, =0.1.0, =1.0, =2.4.6 Source cves: CVE-2019-16551 Source advisory: OSV:GHSA-VMVP-2HHX-RGM8...
Jenkins Sonar Gerrit Plugin stores credentials unencrypted
Jenkins Sonar Gerrit Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system...
GHSA-6FV3-W7J6-5XFC Jenkins Sonar Gerrit Plugin stores credentials unencrypted
Jenkins Sonar Gerrit Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system...
org.jenkins-ci.plugins:sonar-gerrit (=428.v5c962d271b_a_5) potentially affected by CVE-2013-5676 via org.jenkins-ci.plugins:sonar (=2.13.1)
org.jenkins-ci.plugins:sonar MAVEN version =2.13.1 is affected by a known vulnerability. The following packages have a transitive dependency on org.jenkins-ci.plugins:sonar and may be impacted: - org.jenkins-ci.plugins:sonar-gerrit =428.v5c962d271ba5 Source cves: CVE-2013-5676 Source advisory:...
Cleartext Storage of Sensitive Information
Overview org.jenkins-ci.plugins:sonar is a SonarQube scanner plugin for Jenkins Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information via the sonar.sonarPassword parameter. An attacker can obtain sensitive information, including cleartext passwords, by...
com.devonfw.tools:sonar-devon-plugin (=3.0.0), com.devonfw.tools:sonar-devon4j-plugin (=3.2.0) +124 more potentially affected by CVE-2018-19413 via org.sonarsource.sonarqube:sonar-plugin-api (>=5.2 <=7.4-alpha2)
org.sonarsource.sonarqube:sonar-plugin-api MAVEN version =5.2, =0.1.0, =2.0.0, =2.0.0, =1.0.0, =1.0.0, =3.7.0, =2.0.0, =3.0.0, =1.0, =1.0, =1.0, =1.7 and more Source cves: CVE-2018-19413 Source advisory: OSV:GHSA-M643-2PFV-XWM8...
org.jenkins-ci.plugins:gerrit-verify-status-reporter (>=0.0.2 <=0.0.3), org.jenkins-ci.plugins:msginject (>=0.1.0 <=0.1.1) +1 more potentially affected by CVE-2022-29039 via com.sonyericsson.hudson.plugins.gerrit:gerrit-trigger (>=2.14.0 <=2.35.0)
com.sonyericsson.hudson.plugins.gerrit:gerrit-trigger MAVEN version =2.14.0, =0.0.2, =0.1.0, =1.0, =428.v5c962d271ba5 Source cves: CVE-2022-29039 Source advisory: OSV:GHSA-455J-8HG5-8576...
Evolving How We Share Rapid7 Research Data
In the spring of 2018, we launched the Open Data initiative to provide security teams and researchers with access to research data generated from Project Sonar and Project Heisenberg. Our goal for those projects is to understand how the attack surface is evolving, what exposures are most common o...
Rapid7 Releases New Industry Cyber-Exposure Report (ICER): Deutsche Börse Prime Standard
Today, Rapid7 released the fourth in our Industry Cyber-Exposure Report ICER series. For those of you who have been following our research over the past few years, you may immediately suspect us of unloading another 100+ page tome of internet-based findings around the internet—but not so fast!...