CVE-2024-38460

MEDIUM

SonarQube <10.4, 9.9.4 - Info Disclosure

Title source: llm

Description

In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc).

References (2)

[Exploit, Issue Tracking, Vendor Advisory] https://community.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187

[Issue Tracking] https://sonarsource.atlassian.net/browse/SONAR-21559

Scores

CVSS v3 4.9

EPSS 0.0018

EPSS Percentile 39.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-532

Status published

Products (2)

org.sonarsource.sonarqube/sonar-web 0 - 9.9.4Maven

sonarsource/sonarqube < 9.9.4

Published Jun 16, 2024

Tracked Since Feb 18, 2026