CVE-2020-27986

Name of the Vulnerable Software and Affected Versions SonarQube version 8.4.2.36762

Description The issue allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the "api/settings/values" URI. The vendor's position is that it is the administrator's responsibility to configure it.

Recommendations For SonarQube version 8.4.2.36762, consider restricting access to the "api/settings/values" URI to minimize the risk of exploitation. As a temporary workaround, avoid using cleartext credentials for SMTP, SVN, and GitLab configurations until a more secure configuration is implemented. At the moment, there is no information about a newer version that contains a fix for this issue.