In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc).
References
Link | Resource |
---|---|
https://community.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187 | Exploit Issue Tracking Vendor Advisory |
https://sonarsource.atlassian.net/browse/SONAR-21559 | Issue Tracking |
https://community.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187 | Exploit Issue Tracking Vendor Advisory |
https://sonarsource.atlassian.net/browse/SONAR-21559 | Issue Tracking |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 09:25
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.9 |
References | () https://community.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187 - Exploit, Issue Tracking, Vendor Advisory | |
References | () https://sonarsource.atlassian.net/browse/SONAR-21559 - Issue Tracking |
07 Aug 2024, 18:58
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
References | () https://community.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187 - Exploit, Issue Tracking, Vendor Advisory | |
References | () https://sonarsource.atlassian.net/browse/SONAR-21559 - Issue Tracking | |
CWE | CWE-532 | |
CPE | cpe:2.3:a:sonarsource:sonarqube:*:*:*:*:*:*:*:* | |
First Time |
Sonarsource
Sonarsource sonarqube |
17 Jun 2024, 12:42
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
16 Jun 2024, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-16 15:15
Updated : 2024-11-21 09:25
NVD link : CVE-2024-38460
Mitre link : CVE-2024-38460
CVE.ORG link : CVE-2024-38460
JSON object : View
Products Affected
sonarsource
- sonarqube
CWE
CWE-532
Insertion of Sensitive Information into Log File