Full Disclosure mailing list archives
[CVE-2013-5676] Plain Text Password In SonarQube Jenkins Plugin
From: Christian Catalano <ch.catalano () gmail com>
Date: Fri, 06 Dec 2013 15:07:08 +0100
################################################### * 1. **###****Advisory Information **###* Title: SonarQube Jenkins Plugin - Plain Text Password Date published: 2013-12-05 Date of last update: 2013-12-05 Vendors contacted: SonarQube and Jenkins CI Discovered by: Christian Catalano Severity: High * * * 2. **###****Vulnerability Information **###* CVE reference: CVE-2013-5676 CVSS v2 Base Score: 9.0CVSS v2 Vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C) <http://nvd.nist.gov/cvss.cfm?vector=%28AV:N/AC:L/Au:S/C:C/I:C/A:C%29>
Component/s: Jenkins SonarQube Plugin Class: plain text password *3. ### Introduction ###*Jenkins CI is an extendable open source continuous integration server http://jenkins-ci.org.
Jenkins SonarQube Pluginallows you to trigger SonarQube analysis from Jenkins CI using either a:
- Build step to trigger the analysis with the SonarQube Runner - Post-build action to trigger the analysis with Maven http://docs.codehaus.org/display/SONAR/Jenkins+Plugin *4. ### Vulnerability Description ###*The default installation and configuration of Jenkins SonarQube Plugin in Jenkins CI isprone to a security vulnerability.
This vulnerability could be exploited by a remote attacker (a jenkins malicious user with Manage Jenkins enabled)to obtain the SonarQube's credentials.
** *5. ### Technical Description / Proof of Concept Code ###*Below is a harmless test that can be executed to check if a Jenkins SonarQube Plugin installation is vulnerable.
Using a browser with a web proxy go to the following URL: https://jenkinsserver:9444/jenkins/configure check the parameter "sonar.sonarPassword" in Sonar installations section. A vulnerable installation will show the password in plain text. *6. ### Business Impact ###*An attacker (a jenkins malicious user with Manage Jenkins enabled) can obtain the SonarQube's credentials.
** *7. ### Systems Affected ### * This vulnerability was tested against: Jenkins CI v1.523 and SonarQube Plugin v3.7 Older versions are probably affected too, but they were not checked. 8. *### Vendor Information, Solutions and Workarounds ###*There is the ability to encrypt the "sonar.password" property with the SonarQube encryption mechanism:
http://docs.codehaus.org/display/SONAR/Settings+Encryption The sonar.password property is only encryptable since SonarQube v3.7 *9. ### Credits ###* This vulnerability has been discovered by: Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com *10. ### Vulnerability History ###* ** August21th, 2013: Vulnerability identification September 4th, 2013: Vendor notification [Jenkins CI] November 19th, 2013: Vulnerability confirmation [Jenkins CI] November 29th, 2013: Vendor notification [SonarQube] December2nd, 2013: Vendor solution[SonarQube] December6th, 2013: Vulnerability disclosure * * *11. ### Disclaimer ###* **The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of this information.
###################################################
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [CVE-2013-5676] Plain Text Password In SonarQube Jenkins Plugin Christian Catalano (Dec 06)