6 matches found
CVE-2020-27986
The CVE-2020-27986 entry applies to SonarQube 8.4.2.36762, where remote attackers can discover cleartext credentials (SMTP, SVN, GitLab) via the api/settings/values URI. The connected nuclei template explicitly calls this an authentication-related exposure, and related sources reiterate plaintext...
CVE-2024-47911
In SonarSource SonarQube 10.4–10.5 (before 10.6), a vulnerability exists in the authorizations/group-memberships API endpoint that allows users with the administrator role to inject blind SQL commands. The issue is triggered via the group-memberships authorization path, enabling SQL injection wit...
CVE-2018-19413
CVE-2018-19413 affects the SonarSource SonarQube API. An authenticated non-admin user could access the externalIdentity field due to improperly configured access controls, enabling disclosure of valid user login names. Affected versions include SonarQube up to 7.4 (and 7.5+ fixes referenced in re...
CVE-2019-17579
CVE-2019-17579 affects SonarSource SonarQube versions prior to 7.8. The vulnerability is a cross-site scripting (XSS) flaw in the project links on account/projects, arising from insufficient validation of client-side data in the WEB application. Impact described in sources: attacker could potenti...
CVE-2024-38460
CVE-2024-38460 affects SonarQube before 10.4 and 9.9.4 LTA. The issue is that values encrypted via Settings Encryption can be exposed in cleartext in URL parameters found in logs (e.g., access logs, proxy logs). The root cause is insecure handling of encrypted values in log output, enabling poten...
CVE-2020-28002
CVE-2020-28002 affects SonarQube 8.4.2.36762. An external attacker can bypass authentication by supplying an empty value to -D sonar.login, forcing anonymous authentication and enabling creation/overwriting of both public and private projects via the /api/ce/submit endpoint. The NVD metrics indic...