Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1odzJjLTh4Z3ctbWY1N84AA9He
SonarQube logs sensitive information
In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc).
Permalink: https://github.com/advisories/GHSA-hw2c-8xgw-mf57JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1odzJjLTh4Z3ctbWY1N84AA9He
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 4 months ago
CVSS Score: 4.9
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-hw2c-8xgw-mf57, CVE-2024-38460
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-38460
- https://community.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187
- https://sonarsource.atlassian.net/browse/SONAR-21559
- https://github.com/SonarSource/sonarqube/commit/48f43d6a3bf9bbd7c9b58eb5cde635572184ad01
- https://github.com/advisories/GHSA-hw2c-8xgw-mf57
Blast Radius: 1.5
Affected Packages
maven:org.sonarsource.sonarqube:sonar-web
Dependent packages: 1Dependent repositories: 2
Downloads:
Affected Version Ranges: < 9.9.4
Fixed in: 9.9.4
All affected versions: 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.6.6, 5.6.7, 6.2.1, 6.3.1, 6.7.1, 6.7.3, 6.7.4, 6.7.5, 6.7.6, 6.7.7
All unaffected versions: