Vulnerabilities > Sonarsource
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-16 | CVE-2020-35193 | Missing Authentication for Critical Function vulnerability in Sonarsource Sonarqube Docker Image The official sonarqube docker images before alpine (Alpine specific) contain a blank password for a root user. | 10.0 |
| 2020-11-02 | CVE-2020-28002 | Improper Authentication vulnerability in Sonarsource Sonarqube 8.4.2.36762 In SonarQube 8.4.2.36762, an external attacker can achieve authentication bypass through SonarScanner. | 5.0 |
| 2020-10-28 | CVE-2020-27986 | Cleartext Storage of Sensitive Information vulnerability in Sonarsource Sonarqube 8.4.2.36762 SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. | 7.5 |
| 2019-10-14 | CVE-2019-17579 | Cross-site Scripting vulnerability in Sonarsource Sonarqube SonarSource SonarQube before 7.8 has XSS in project links on account/projects. | 4.3 |
| 2019-01-09 | CVE-2018-1000425 | Insufficiently Protected Credentials vulnerability in Sonarsource Sonarqube Scanner An insufficiently protected credentials vulnerability exists in Jenkins SonarQube Scanner Plugin 2.8 and earlier in SonarInstallation.java that allows attackers with local file system access to obtain the credentials used to connect to SonarQube. | 2.1 |
| 2018-12-14 | CVE-2018-19413 | Information Exposure vulnerability in Sonarsource Sonarqube A vulnerability in the API of SonarSource SonarQube before 7.4 could allow an authenticated user to discover sensitive information such as valid user-account logins in the web application. | 4.0 |
| 2013-12-13 | CVE-2013-5676 | Cryptographic Issues vulnerability in Sonarsource Jenkins Plugin The Jenkins Plugin for SonarQube 3.7 and earlier allows remote authenticated users to obtain sensitive information (cleartext passwords) by reading the value in the sonar.sonarPassword parameter from jenkins/configure. | 4.0 |