Vulnerabilities > CVE-2013-5676 - Cryptographic Issues vulnerability in Sonarsource Jenkins Plugin

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
sonarsource
CWE-310
exploit available
NVD
Published: 2013-12-13
Updated: 2013-12-16

Summary

The Jenkins Plugin for SonarQube 3.7 and earlier allows remote authenticated users to obtain sensitive information (cleartext passwords) by reading the value in the sonar.sonarPassword parameter from jenkins/configure.

Vulnerable Configurations

Part Description Count
Application
Sonarsource
2

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Exploit-Db

descriptionSonarQube Jenkins Plugin - Plain Text Password. CVE-2013-5676. Webapps exploit for php platform
idEDB-ID:30409
last seen2016-02-03
modified2013-12-18
published2013-12-18
reporterChristian Catalano
sourcehttps://www.exploit-db.com/download/30409/
titleSonarQube Jenkins Plugin - Plain Text Password

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/138333/sonarqube-disclose.txt
idPACKETSTORM:138333
last seen2016-12-05
published2016-08-13
reporterChristian Catalano
sourcehttps://packetstormsecurity.com/files/138333/SonarQube-Jenkins-Password-Disclosure.html
titleSonarQube Jenkins Password Disclosure

Seebug

bulletinFamilyexploit
descriptionNo description provided by source.
idSSV:83804
last seen2017-11-19
modified2014-07-01
published2014-07-01
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-83804
titleSonarQube Jenkins Plugin - Plain Text Password

References