CVE-2024-38460 in SonarQube
Summary
by MITRE • 06/16/2024
In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/08/2025
This vulnerability affects SonarQube versions prior to 10.4 and 9.9.4 Long Term Availability releases, specifically targeting the Settings Encryption feature implementation. The flaw represents a critical information exposure issue where encrypted configuration values are inadvertently transmitted and logged in cleartext format within URL parameters. This occurs during normal operational procedures when SonarQube processes requests containing encrypted settings, resulting in sensitive data being persisted in various log files including access logs and proxy logs. The vulnerability stems from improper handling of encrypted values during request processing, where the system fails to maintain the confidentiality of encrypted data throughout its lifecycle.
The technical implementation flaw manifests when the SonarQube system processes requests that contain encrypted configuration parameters within URL query strings. During this processing, the encryption mechanism does not properly sanitize or redact these values before they are logged, causing cleartext representations of sensitive information to be stored in log files. This behavior violates fundamental security principles of data protection in transit and at rest, as the encrypted values are not only exposed in logs but also potentially accessible to unauthorized personnel with log file access privileges. The vulnerability is particularly concerning because it affects system-wide logging mechanisms, meaning that any encrypted value used in URL parameters becomes visible in multiple log contexts.
The operational impact of this vulnerability extends beyond simple information disclosure, as it creates potential attack vectors for malicious actors who gain access to log files. Attackers could extract sensitive configuration data, authentication tokens, or other encrypted values that were meant to remain protected, potentially leading to privilege escalation, unauthorized access to systems, or further exploitation opportunities. This vulnerability aligns with CWE-209, Information Exposure Through an Error Message, and CWE-532, Information Exposure Through Log Data, while also mapping to ATT&CK technique T1562.006 for Credential Access through log file manipulation. The exposure affects both administrative and operational security controls, as the encrypted values that should remain protected become readily available in system logs.
Organizations should immediately implement the recommended patches for SonarQube versions 9.9.4 LTA and 10.4 to address this vulnerability. Additionally, security teams should conduct thorough log file reviews to identify and remove any previously exposed sensitive data. System administrators should implement log rotation and access controls to limit exposure of sensitive information in log files. Network monitoring solutions should be configured to detect and alert on potentially sensitive data in URL parameters. The fix addresses the root cause by ensuring encrypted values are properly handled during request processing and logging, preventing cleartext exposure in URL parameters. Organizations should also consider implementing additional logging controls and data loss prevention measures to further protect against similar vulnerabilities in other systems.