CVE-2024-38460

{"id": "CVE-2024-38460", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-06-16T15:15:51.910", "references": [{"url": "https://community.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://sonarsource.atlassian.net/browse/SONAR-21559", "tags": ["Issue Tracking"], "source": "cve@mitre.org"}, {"url": "https://community.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://sonarsource.atlassian.net/browse/SONAR-21559", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc)."}, {"lang": "es", "value": "En SonarQube anterior a 10.4 y 9.9.4 LTA, los valores cifrados generados mediante la funci\u00f3n de cifrado de configuraci\u00f3n est\u00e1n potencialmente expuestos en texto plano como parte de los par\u00e1metros de URL en los registros (como registros de acceso de SonarQube, registros de proxy, etc.)."}], "lastModified": "2024-11-21T09:25:57.670", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sonarsource:sonarqube:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B1150BB6-C571-48F0-B51C-B03FBA5FD5C0", "versionEndExcluding": "9.9.4"}, {"criteria": "cpe:2.3:a:sonarsource:sonarqube:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1151660E-EA3E-4CED-8AFE-CACD8280CD68", "versionEndExcluding": "10.4", "versionStartIncluding": "10.0.0.68432"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}