Sonarqube API end points are Accessible Publicly without any authentication

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension) : Sonarqube 8.9 LTS
  • what are you trying to achieve : We have already used forced-authentication option for our sonarqube and we Want to Block below mentioned API for our sonarqube*
  • what have you tried so far to achieve this : We want to block system API End points which are vulnerable since they are accessible outside organization without any authentication. We used Force user authentication option but still end points are accessible without any authentication which is exposing sensitive information like System ID and What version we are using.


Welcome to the community!

You have a fair point. We’ve created this ticket to track the issue & plan to fix it in 9.4:

SONAR-15978 - Limit information returned by api/system/* and api/server/* endpoints for unauthenticated users