The Jenkins Plugin for SonarQube 3.7 and earlier allows remote authenticated users to obtain sensitive information (cleartext passwords) by reading the value in the sonar.sonarPassword parameter from jenkins/configure.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2013-5676 from the MITRE CVE dictionary dictionary and NIST NVD.
Not Vulnerable. The SonarQube plug-in for Jenkins is not shipped by Red Hat.
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
Base Score | 4 |
---|---|
Base Metrics | AV:N/AC:L/Au:S/C:P/I:N/A:N |
Access Vector | Network |
Access Complexity | Low |
Authentication | Single |
Confidentiality Impact | Partial |
Integrity Impact | None |
Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Platform | Package | State |
---|---|---|
Red Hat OpenShift Enterprise 2 | jenkins | Not affected |
Red Hat OpenShift Enterprise 1 | jenkins | Not affected |