SonarQube and Jenkins CI Plugin Plain Text Password

2013.12.17
Credit: Christian Catalano
Risk: High
Local: No
Remote: Yes
CVE: CVE-2013-5676
CWE: CWE-310


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

################################################### 1. ### Advisory Information ### Title: SonarQube Jenkins Plugin - Plain Text Password Date published: 2013-12-05 Date of last update: 2013-12-05 Vendors contacted: SonarQube and Jenkins CI Discovered by: Christian Catalano Severity: High 2. ### Vulnerability Information ### CVE reference : CVE-2013-5676 CVSS v2 Base Score: 9.0 CVSS v2 Vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C) Component/s : Jenkins SonarQube Plugin Class : plain text password 3. ### Introduction ### Jenkins CI is an extendable open source continuous integration server http://jenkins-ci.org. Jenkins SonarQube Plugin allows you to trigger SonarQube analysis from Jenkins CI using either a: - Build step to trigger the analysis with the SonarQube Runner - Post-build action to trigger the analysis with Maven http://docs.codehaus.org/display/SONAR/Jenkins+Plugin 4. ### Vulnerability Description ### The default installation and configuration of Jenkins SonarQube Plugin in Jenkins CI is prone to a security vulnerability. This vulnerability could be exploited by a remote attacker (a jenkins malicious user with Manage Jenkins enabled) to obtain the SonarQube's credentials. 5. ### Technical Description / Proof of Concept Code ### Below is a harmless test that can be executed to check if a Jenkins SonarQube Plugin installation is vulnerable. Using a browser with a web proxy go to the following URL: https://jenkinsserver:9444/jenkins/configure check the parameter "sonar.sonarPassword" in Sonar installations section. A vulnerable installation will show the password in plain text. 6. ### Business Impact ### An attacker (a jenkins malicious user with Manage Jenkins enabled) can obtain the SonarQube's credentials. 7. ### Systems Affected ### This vulnerability was tested against: Jenkins CI v1.523 and SonarQube Plugin v3.7 Older versions are probably affected too, but they were not checked. 8. ### Vendor Information, Solutions and Workarounds ### There is the ability to encrypt the "sonar.password" property with the SonarQube encryption mechanism: http://docs.codehaus.org/display/SONAR/Settings+Encryption The sonar.password property is only encryptable since SonarQube v3.7 9. ### Credits ### This vulnerability has been discovered by: Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com 10. ### Vulnerability History ### August 21th, 2013: Vulnerability identification September 4th, 2013: Vendor notification [Jenkins CI] November 19th, 2013: Vulnerability confirmation [Jenkins CI] November 29th, 2013: Vendor notification [SonarQube] December 2nd, 2013: Vendor solution [SonarQube] December 6th, 2013: Vulnerability disclosure 11. ### Disclaimer ### The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. ###################################################

References:

http://docs.codehaus.org/display/SONAR/Jenkins+Plugin


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top