Lucene search

GitHub Advisory DatabaseGHSA-HW2C-8XGW-MF57

HistoryJun 16, 2024 - 3:30 p.m.

SonarQube logs sensitive information

2024-06-1615:30:44

CWE-532

GitHub Advisory Database

github.com

sonarqube

sensitive information

logs

encryption

url parameters

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc).

Affected configurations

Vulners

Node

org.sonarsource.sonarqube\sonarMatchweb

CPENameOperatorVersion
org.sonarsource.sonarqube:sonar-weblt9.9.4

CPE	Name	Operator	Version
	org.sonarsource.sonarqube:sonar-web	lt	9.9.4

References

community.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187

github.com/advisories/GHSA-hw2c-8xgw-mf57

github.com/SonarSource/sonarqube/commit/48f43d6a3bf9bbd7c9b58eb5cde635572184ad01

nvd.nist.gov/vuln/detail/CVE-2024-38460

sonarsource.atlassian.net/browse/SONAR-21559

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for GHSA-HW2C-8XGW-MF57