Bug 1043348 (CVE-2013-5676)

Summary: CVE-2013-5676 Jenkins SonarQube Plugin: Plain Text Password Disclosure via configuration parameters
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, grocha, jdetiber, jialiu, lmeyer, tkramer, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-16 04:23:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Arun Babu Neelicattu 2013-12-16 04:17:14 UTC 
A flaw was identified in the SonarQube Plugin for Jenkins that disclosed the SonarQube server secret key as used by the plugin. An authenticated remote user with 'Manage Jenkins' privilege could read the secret key as configured via the 'sonar.sonarPassword' parameter.

For users of SonarQube v3.7 or later, a mitigation is to use encrypted settings values as described in [1].

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5676
http://seclists.org/fulldisclosure/2013/Dec/37
http://www.osvdb.org/100666

[1] http://docs.codehaus.org/display/SONAR/Settings+Encryption
Comment 1 Arun Babu Neelicattu 2013-12-16 04:23:57 UTC 
Statement:

Not Vulnerable. The SonarQube plug-in for Jenkins is not shipped by Red Hat.