Main Vulnerability Database SB2018092405

SB2018092405 - Information disclosure in SonarQube

Published: September 24, 2018

Security Bulletin ID SB2018092405

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2018-19413)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.

The vulnerability exists in the API of SonarSource SonarQube due to improperly configured access controls. A remote attacker can send a specially crafted HTTP GET request that submits malicious input, cause the API used by the system to return the externalIdentity field, which the attacker can use to access sensitive information, such as valid user-account login information.

Remediation

Install update from vendor's website.

References

https://jira.sonarsource.com/browse/SONAR-11305