Skip to content
cyberexploits
webappphptext

SonarQube Jenkins Plugin - Plain Text Password

SonarQube Jenkins Plugin - Plain Text Password

Publié le 2013-12-18

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/php/webapps/30409.txt7eac4c3a
raw
###################################################



1. ###  Advisory Information ###



Title: SonarQube Jenkins Plugin - Plain Text Password

Date published: 2013-12-05

Date of last update: 2013-12-05

Vendors contacted: SonarQube and Jenkins CI

Discovered by: Christian Catalano

Severity: High





2. ###  Vulnerability Information ###



CVE reference     : CVE-2013-5676

CVSS v2 Base Score: 9.0

CVSS v2 Vector    : (AV:N/AC:L/Au:S/C:C/I:C/A:C)

Component/s       : Jenkins SonarQube Plugin

Class             : plain text password





3. ### Introduction ###



Jenkins CI is an extendable open source continuous integration server

http://jenkins-ci.org.



Jenkins SonarQube Plugin  allows you to trigger SonarQube analysis

from Jenkins CI using either a:



- Build step to trigger the analysis with the SonarQube Runner

- Post-build action to trigger the analysis with Maven



http://docs.codehaus.org/display/SONAR/Jenkins+Plugin





4. ### Vulnerability Description ###



The default installation and configuration of Jenkins SonarQube Plugin

in Jenkins CI is prone to a security vulnerability.



This vulnerability could be exploited by a remote attacker (a jenkins

malicious user with Manage Jenkins enabled) to obtain the SonarQube's

credentials.





5. ### Technical Description / Proof of Concept Code ###



Below is a harmless test that can be executed to check if a Jenkins

SonarQube Plugin installation is vulnerable.



Using a browser with a web proxy go to the following URL:



https://jenkinsserver:9444/jenkins/configure



check the parameter "sonar.sonarPassword" in Sonar installations section.



A vulnerable installation will show the password in plain text.





6. ### Business Impact ###



An attacker (a jenkins malicious user with Manage Jenkins enabled) can

obtain the SonarQube's credentials.





7. ### Systems Affected ###



This vulnerability was tested against:

Jenkins CI v1.523 and SonarQube Plugin v3.7

Older versions are probably affected too, but they were not checked.





8. ### Vendor Information, Solutions and Workarounds ###



There is the ability to encrypt the "sonar.password" property with the

SonarQube encryption mechanism:



http://docs.codehaus.org/display/SONAR/Settings+Encryption



The sonar.password property is only encryptable since SonarQube v3.7





9. ### Credits ###



This vulnerability has been discovered by:

Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com





10. ### Vulnerability History ###



August   21th, 2013: Vulnerability identification

September 4th, 2013: Vendor notification [Jenkins CI]

November 19th, 2013: Vulnerability confirmation [Jenkins CI]

November 29th, 2013: Vendor notification [SonarQube]

December  2nd, 2013: Vendor solution [SonarQube]

December  6th, 2013: Vulnerability disclosure





11. ### Disclaimer ###



The information contained within this advisory is supplied "as-is"

with no warranties or guarantees of fitness of use or otherwise.

I accept no responsibility for any damage caused by the use or misuse

of this information.



###################################################

Voir sur GitHub