CVE-2024-38460

In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc).
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sonarsource:sonarqube:*:*:*:*:*:*:*:*
cpe:2.3:a:sonarsource:sonarqube:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:25

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.5
v2 : unknown
v3 : 4.9
References () https://community.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187 - Exploit, Issue Tracking, Vendor Advisory () https://community.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187 - Exploit, Issue Tracking, Vendor Advisory
References () https://sonarsource.atlassian.net/browse/SONAR-21559 - Issue Tracking () https://sonarsource.atlassian.net/browse/SONAR-21559 - Issue Tracking

07 Aug 2024, 18:58

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 4.9
v2 : unknown
v3 : 6.5
References () https://community.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187 - () https://community.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187 - Exploit, Issue Tracking, Vendor Advisory
References () https://sonarsource.atlassian.net/browse/SONAR-21559 - () https://sonarsource.atlassian.net/browse/SONAR-21559 - Issue Tracking
CWE CWE-532
CPE cpe:2.3:a:sonarsource:sonarqube:*:*:*:*:*:*:*:*
First Time Sonarsource
Sonarsource sonarqube

17 Jun 2024, 12:42

Type Values Removed Values Added
Summary
  • (es) En SonarQube anterior a 10.4 y 9.9.4 LTA, los valores cifrados generados mediante la función de cifrado de configuración están potencialmente expuestos en texto plano como parte de los parámetros de URL en los registros (como registros de acceso de SonarQube, registros de proxy, etc.).

16 Jun 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-16 15:15

Updated : 2024-11-21 09:25


NVD link : CVE-2024-38460

Mitre link : CVE-2024-38460

CVE.ORG link : CVE-2024-38460


JSON object : View

Products Affected

sonarsource

  • sonarqube
CWE
CWE-532

Insertion of Sensitive Information into Log File