CVE-2013-5676

Jenkins Plugin for SonarQube <= 3.7 - Authenticated Cleartext Password Exposure via sonar.sonarPassword Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-5676. PoCs published by Christian Catalano.

AI-analyzed exploit summary This advisory describes an information leakage vulnerability in the Jenkins SonarQube Plugin where passwords are stored in plain text. The PoC involves checking the 'sonar.sonarPassword' parameter in the Jenkins configuration page.

Description

The Jenkins Plugin for SonarQube 3.7 and earlier allows remote authenticated users to obtain sensitive information (cleartext passwords) by reading the value in the sonar.sonarPassword parameter from jenkins/configure.

Exploits (1)

exploitdb WRITEUP

by Christian Catalano · textwebappsphp

https://www.exploit-db.com/exploits/30409

View Code ZIP pw:eip

This advisory describes an information leakage vulnerability in the Jenkins SonarQube Plugin where passwords are stored in plain text. The PoC involves checking the 'sonar.sonarPassword' parameter in the Jenkins configuration page.

Classification

Writeup 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Jenkins SonarQube Plugin v3.7 (and likely older versions)

Auth required

Prerequisites: Access to Jenkins configuration page with 'Manage Jenkins' permissions

MITRE ATT&CK

T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2013/Dec/37

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://www.osvdb.org/100666

Scores

EPSS 0.0531

EPSS Percentile 90.3%

Details

CWE

CWE-310

Status published

Products (2)

org.jenkins-ci.plugins/sonar 0Maven

sonarsource/jenkins_plugin

Published Dec 13, 2013

Tracked Since Feb 18, 2026