CVE-2024-38460 – org.sonarsource.sonarqube:sonar-web

Package

Manager: maven
Name: org.sonarsource.sonarqube:sonar-web
Vulnerable Version: >=0 <9.9.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00104 pctl0.29072

Details

SonarQube logs sensitive information In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc).

Metadata

Created: 2024-06-16T15:30:44Z
Modified: 2024-06-17T21:22:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-hw2c-8xgw-mf57/GHSA-hw2c-8xgw-mf57.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-hw2c-8xgw-mf57
Finding: F009
Auto approve: 1