4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
6.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
SonarQube is vulnerable to exposure of encrypted values in cleartext. The vulnerability is due to encrypted values generated using the Settings Encryption feature being exposed in URL parameters in logs, allowing attackers with access to SonarQube logs or proxy logs to view sensitive information.
CPE | Name | Operator | Version |
---|---|---|---|
sonarqube | le | 10.4.0.87240 | |
sonarqube | le | 9.9.3.79811 | |
sonarqube | le | 10.4.0.87240 | |
sonarqube | le | 9.9.3.79811 |
community.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187
github.com/advisories/GHSA-hw2c-8xgw-mf57
github.com/SonarSource/sonarqube/commit/48f43d6a3bf9bbd7c9b58eb5cde635572184ad01
github.com/SonarSource/sonarqube/commit/d72acd5707f3ac1234f60a326dffbb197b1e103f
sonarsource.atlassian.net/browse/SONAR-21559
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
6.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%