Main Vulnerability Database Vulnerabilities #VU16582

Information disclosure in SonarQube - CVE-2018-19413

Published: December 17, 2018 / Updated: December 18, 2018

Vulnerability identifier: #VU16582

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-19413

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: SonarSource

Affected software:
SonarQube

Detailed vulnerability description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.

The vulnerability exists in the API of SonarSource SonarQube due to improperly configured access controls. A remote attacker can send a specially crafted HTTP GET request that submits malicious input, cause the API used by the system to return the externalIdentity field, which the attacker can use to access sensitive information, such as valid user-account login information.

How to mitigate CVE-2018-19413

Update to version 7.4.

Sources

https://jira.sonarsource.com/browse/SONAR-11305

Information disclosure in SonarQube - CVE-2018-19413

Detailed vulnerability description

How to mitigate CVE-2018-19413

Sources

Please verify you're human