GHSA-hw2c-8xgw-mf57

Source

https://github.com/advisories/GHSA-hw2c-8xgw-mf57

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-hw2c-8xgw-mf57/GHSA-hw2c-8xgw-mf57.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hw2c-8xgw-mf57

Aliases

CVE-2024-38460

Published

2024-06-16T15:30:44Z

Modified

2024-06-25T02:33:30.974481Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

SonarQube logs sensitive information

Details

In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc).

Database specific

{
    "nvd_published_at": "2024-06-16T15:15:51Z",
    "cwe_ids": [
        "CWE-532"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-17T21:22:06Z"
}

References

Affected packages

Maven / org.sonarsource.sonarqube:sonar-web

Package

Name: org.sonarsource.sonarqube:sonar-web; View open source insights on deps.dev
Purl: pkg:maven/org.sonarsource.sonarqube/sonar-web

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.9.4

Affected versions

5.*

5.2-RC3

5.2-RC4

5.4-RC1

5.4-RC2

5.4-RC3

5.4-RC4

5.4

5.5-RC1

5.5-RC2

5.5

5.6-RC1

5.6-RC2

5.6

5.6.1

5.6.2

5.6.3

5.6.4

5.6.5

5.6.6

5.6.7

6.*

6.0-RC1

6.0-RC2

6.0

6.1-RC1

6.1-RC2

6.1

6.2-RC1

6.2-RC3

6.2

6.2.1

6.3-RC4

6.3

6.3.1

6.4-RC1

6.4-RC2

6.4-RC3

6.4

6.5-RC1

6.5-RC2

6.5

6.6-RC1

6.6

6.7-RC1

6.7

6.7.1

6.7.3

6.7.4

6.7.5

6.7.6

6.7.7

7.*

7.0-RC1

7.0