PT-2013-5722 · Jenkins · Jenkins Plugin For Sonarqube

Christian Catalano

Published

2013-12-13

Updated

2022-05-17

CVE-2013-5676

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Jenkins Plugin for SonarQube versions 3.7 and earlier

Description The issue allows remote authenticated users to obtain sensitive information, specifically cleartext passwords, by reading the value in the sonarPassword parameter from the jenkins/configure page.

Recommendations For Jenkins Plugin for SonarQube versions 3.7 and earlier, consider restricting access to the jenkins/configure page to minimize the risk of exploitation. Avoid using the sonarPassword parameter in the affected configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-312CWE-310

Related Identifiers

CVE-2013-5676

GHSA-3X9H-3P7M-33M7

Affected Products

Jenkins Plugin For Sonarqube

PT-2013-5722 · Jenkins · Jenkins Plugin For Sonarqube

CVE-2013-5676

Weakness Enumeration

Related Identifiers

Affected Products

References · 6