CVE-2024-47910

An issue was discovered in SonarSource SonarQube before 9.9.5 LTA and 10.x before 10.5. A SonarQube user with the Administrator role can modify an existing configuration of a GitHub integration to exfiltrate a pre-signed JWT.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://community.sonarsource.com/t/sonarqube-github-integration-information-leakage/126609
https://sonarsource.atlassian.net/browse/SONAR-21795
https://sonarsource.atlassian.net/browse/SONAR-21813

Configurations

No configuration.

History

No history.

Information

Published : 2024-10-04 21:15

Updated : 2024-10-07 19:37

NVD link : CVE-2024-47910

Mitre link : CVE-2024-47910

CVE.ORG link : CVE-2024-47910

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

7.2 /10