Lucene search

Veracode Vulnerability DatabaseVERACODE:47631

HistoryJun 19, 2024 - 6:33 a.m.

Information Disclosure

2024-06-1906:33:05

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

sonarqube

vulnerability

exposure

encrypted values

cleartext

logs

url parameters

sensitive information

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

6.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

SonarQube is vulnerable to exposure of encrypted values in cleartext. The vulnerability is due to encrypted values generated using the Settings Encryption feature being exposed in URL parameters in logs, allowing attackers with access to SonarQube logs or proxy logs to view sensitive information.

CPENameOperatorVersion
sonarqubele10.4.0.87240
sonarqubele9.9.3.79811
sonarqubele10.4.0.87240
sonarqubele9.9.3.79811

Name	Operator	Version
sonarqube	le	10.4.0.87240
sonarqube	le	9.9.3.79811
sonarqube	le	10.4.0.87240
sonarqube	le	9.9.3.79811

References

community.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187

github.com/advisories/GHSA-hw2c-8xgw-mf57

github.com/SonarSource/sonarqube/commit/48f43d6a3bf9bbd7c9b58eb5cde635572184ad01

github.com/SonarSource/sonarqube/commit/d72acd5707f3ac1234f60a326dffbb197b1e103f

sonarsource.atlassian.net/browse/SONAR-21559

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

6.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:47631