SonarQube (CE 10.3.0) leaking encrypted values in web server logs

This sounds like an obvious security issue that had probably been spotted before, but I haven’t found reports of it anywhere, so here we go.

I’ve been setting up SonarQube Community Edition 10.3.0 from Docker (tag sonarqube:10.3.0-community) with settings encryption enabled. When testing the feature, I’ve noticed that the values to encrypt are passed to the encrypt API endpoint as URI parameters, and, as a result, they are logged by the webserver (and also the HTTPS proxy, which I had in my deployment). My screenshot shows offending logs and the browser request:

This kind of defeats the purpose of the encryption feature. It should be easily fixed by passing the values in the request body (which is not logged) instead of the URI. I guess as a workaround you could clear the logs of all web servers the encryption request touches, every time you use it.

1 Like

Hey there.

I’ve unlisted your topic since you’re reporting a vulnerability. Our responsible disclosure policy asks that you email security@sonarsource.com rather than making public posts.

That being said, our team noticed this thread and is already looking into it. Stay tuned!

Hi @ThornableGumpture,

Thanks for this report. We patched this in SonarQube 10.4 and 9.9.4 and released the details today.

 
Thx,
Ann

Cool! Do I need to apply for a CVE now, or have you done it yourself?

Hi,

Uhm… let me come back to you on that.

 
Ann

Hi,

Thanks for your (continued) patience. We’re going to file the CVE.

 
Thx,
Ann