CVE-2024-38460

Name of the Vulnerable Software and Affected Versions SonarQube versions prior to 10.4 SonarQube version 9.9.4 LTA and earlier

Description The issue concerns the potential exposure of encrypted values in cleartext as part of URL parameters in logs, such as SonarQube Access Logs and Proxy Logs. This occurs due to the Settings Encryption feature.

Recommendations For SonarQube versions prior to 10.4, update to version 10.4 or later. For SonarQube version 9.9.4 LTA and earlier, update to version 9.9.4 LTA or later. As a temporary workaround, consider restricting access to logs that may contain sensitive information, such as SonarQube Access Logs and Proxy Logs, to minimize the risk of exploitation.