response.json

{"issues":[{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"365589","self":"https://sonarsource.atlassian.net/rest/api/3/issue/365589","key":"SSF-992","fields":{"summary":"Security report from a customer on SQ IDE (Visual Studio Code and IntelliJ)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"Hello Team,"}]},{"type":"paragraph","content":[{"type":"text","text":"A customer reported us the following CVEs on SonarQube IDE for VSCode and IntelliJ. I have searched it in Next instance but was unable to find most of it or an appropriate justification.   Could someone look into it and help us know whether we are vulnerable. If yes, then what is the fix plan? If not, then a valid justification. "}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SonarQube for IDE for VS Code (4.42.0)"}]}]}]},{"type":"mediaGroup","content":[{"type":"media","attrs":{"type":"file","id":"23ac152a-e2d9-4c9b-8865-4807b717be94","collection":""}}]},{"type":"paragraph"},{"type":"orderedList","attrs":{"order":2},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SonarQube IDE for IntelliJ (11.13.0)"},{"type":"hardBreak"},{"type":"mediaInline","attrs":{"id":"622a5cc7-5480-4fdd-af58-86d47c75d7df","collection":"","type":"file"}},{"type":"text","text":" "}]}]}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"365239","self":"https://sonarsource.atlassian.net/rest/api/3/issue/365239","key":"SSF-991","fields":{"summary":"Multiple vulnerabilities raised on ingress-nginx","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"In our SonarQube Server helm charts, we use a version of "},{"type":"text","text":"ingress-nginx","marks":[{"type":"code"}]},{"type":"text","text":" (as a deprecated dependency) that is now affected by multiple vulnerabilities. "}]},{"type":"paragraph","content":[{"type":"text","text":"Specifically, Wiz Advisory informed about that ("},{"type":"text","text":"https://app.wiz.io/boards/threat-center/wiz-adv-2026-014","marks":[{"type":"link","attrs":{"href":"https://app.wiz.io/boards/threat-center/wiz-adv-2026-014"}},{"type":"underline"}]},{"type":"text","text":")."}]},{"type":"paragraph","content":[{"type":"text","text":"The helm chart versions affected by this are 2026.1.0, 2025.1.5, and 2025.4.4."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"363825","self":"https://sonarsource.atlassian.net/rest/api/3/issue/363825","key":"SSF-990","fields":{"summary":"SonarQube Server 2026.1 Golang 1.25.1 - multiple CVEs","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"Hello developers,"}]},{"type":"paragraph","content":[{"type":"text","text":"I have "},{"type":"text","text":"a support ticket","marks":[{"type":"link","attrs":{"href":"https://sonarsourcehelp.zendesk.com/agent/tickets/67057"}}]},{"type":"text","text":" where the customer has provided spreadsheets with a number of detected issues in SonarQube Server 2025.5. The ones I’m focused on are around Golang, and CVEs that are associated with what appears to be the current version of the libraries that we’re using in SQS 2026.1."}]},{"type":"paragraph","content":[{"type":"text","text":"These are the CVEs that are associated with this issue:"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58187"}},{"type":"text","text":" "}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61723"}},{"type":"text","text":" "}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61725"}},{"type":"text","text":" "}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47913"}},{"type":"text","text":" "}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58188"}},{"type":"text","text":" "}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Based on the provided spreadsheet, these are the vulnerable extension paths:"}]},{"type":"codeBlock","content":[{"type":"text","text":"In [17]: for x in dictlist:\n    ...:     if \"github.com/golang/go\" in x[\"Component\"]:\n    ...:         for y in x[\"Component Physical Paths\"].split():\n    ...:             vulnpath.append(y)\n    ...: \n\nIn [18]: set(vulnpath)\nOut[18]: \n{'sha256__9cb882421ad5cbe943b8d3f009b8a01276ada3625ff32f71e9c3aaaf8dccb478.tar.gz/opt/sonarqube/lib/extensions/sonar-go-enterprise-plugin-1.28.0.3761.jar/sonar-go-to-slang-darwin-amd64/github.com/golang/go;',\n 'sha256__9cb882421ad5cbe943b8d3f009b8a01276ada3625ff32f71e9c3aaaf8dccb478.tar.gz/opt/sonarqube/lib/extensions/sonar-go-enterprise-plugin-1.28.0.3761.jar/sonar-go-to-slang-darwin-arm64/github.com/golang/go;',\n 'sha256__9cb882421ad5cbe943b8d3f009b8a01276ada3625ff32f71e9c3aaaf8dccb478.tar.gz/opt/sonarqube/lib/extensions/sonar-go-enterprise-plugin-1.28.0.3761.jar/sonar-go-to-slang-linux-amd64/github.com/golang/go;',\n 'sha256__9cb882421ad5cbe943b8d3f009b8a01276ada3625ff32f71e9c3aaaf8dccb478.tar.gz/opt/sonarqube/lib/extensions/sonar-go-enterprise-plugin-1.28.0.3761.jar/sonar-go-to-slang-linux-arm64/github.com/golang/go',\n 'sha256__9cb882421ad5cbe943b8d3f009b8a01276ada3625ff32f71e9c3aaaf8dccb478.tar.gz/opt/sonarqube/lib/extensions/sonar-go-enterprise-plugin-1.28.0.3761.jar/sonar-go-to-slang-linux-arm64/github.com/golang/go;',\n 'sha256__9cb882421ad5cbe943b8d3f009b8a01276ada3625ff32f71e9c3aaaf8dccb478.tar.gz/opt/sonarqube/lib/extensions/sonar-go-enterprise-plugin-1.28.0.3761.jar/sonar-go-to-slang-windows-amd64.exe/github.com/golang/go',\n 'sha256__9cb882421ad5cbe943b8d3f009b8a01276ada3625ff32f71e9c3aaaf8dccb478.tar.gz/opt/sonarqube/lib/extensions/sonar-go-enterprise-plugin-1.28.0.3761.jar/sonar-go-to-slang-windows-amd64.exe/github.com/golang/go;',\n 'sha256__9cb882421ad5cbe943b8d3f009b8a01276ada3625ff32f71e9c3aaaf8dccb478.tar.gz/opt/sonarqube/lib/extensions/sonar-iac-plugin-1.50.0.16452.jar/sonar-helm-for-iac-darwin-amd64/github.com/golang/go',\n 'sha256__9cb882421ad5cbe943b8d3f009b8a01276ada3625ff32f71e9c3aaaf8dccb478.tar.gz/opt/sonarqube/lib/extensions/sonar-iac-plugin-1.50.0.16452.jar/sonar-helm-for-iac-darwin-amd64/github.com/golang/go;',\n 'sha256__9cb882421ad5cbe943b8d3f009b8a01276ada3625ff32f71e9c3aaaf8dccb478.tar.gz/opt/sonarqube/lib/extensions/sonar-iac-plugin-1.50.0.16452.jar/sonar-helm-for-iac-darwin-arm64/github.com/golang/go',\n 'sha256__9cb882421ad5cbe943b8d3f009b8a01276ada3625ff32f71e9c3aaaf8dccb478.tar.gz/opt/sonarqube/lib/extensions/sonar-iac-plugin-1.50.0.16452.jar/sonar-helm-for-iac-darwin-arm64/github.com/golang/go;',\n 'sha256__9cb882421ad5cbe943b8d3f009b8a01276ada3625ff32f71e9c3aaaf8dccb478.tar.gz/opt/sonarqube/lib/extensions/sonar-iac-plugin-1.50.0.16452.jar/sonar-helm-for-iac-linux-amd64/github.com/golang/go',\n 'sha256__9cb882421ad5cbe943b8d3f009b8a01276ada3625ff32f71e9c3aaaf8dccb478.tar.gz/opt/sonarqube/lib/extensions/sonar-iac-plugin-1.50.0.16452.jar/sonar-helm-for-iac-linux-amd64/github.com/golang/go;',\n 'sha256__9cb882421ad5cbe943b8d3f009b8a01276ada3625ff32f71e9c3aaaf8dccb478.tar.gz/opt/sonarqube/lib/extensions/sonar-iac-plugin-1.50.0.16452.jar/sonar-helm-for-iac-linux-arm64/github.com/golang/go',\n 'sha256__9cb882421ad5cbe943b8d3f009b8a01276ada3625ff32f71e9c3aaaf8dccb478.tar.gz/opt/sonarqube/lib/extensions/sonar-iac-plugin-1.50.0.16452.jar/sonar-helm-for-iac-linux-arm64/github.com/golang/go;',\n 'sha256__9cb882421ad5cbe943b8d3f009b8a01276ada3625ff32f71e9c3aaaf8dccb478.tar.gz/opt/sonarqube/lib/extensions/sonar-iac-plugin-1.50.0.16452.jar/sonar-helm-for-iac-windows-amd64/github.com/golang/go;'}"}]},{"type":"paragraph","content":[{"type":"text","text":"Here’s what I’ve found for references in the tagged extension versions for 2026.1:"}]},{"type":"codeBlock","content":[{"type":"text","text":"➜  sonar_analyzers for x in sonar-iac-enterprise sonar-go-enterprise; do git -C $x describe --tags --abbrev=0 HEAD; grep -r \"GO_VERSION\\:\" ./$x/; done\n2.5.0.18803\n./sonar-iac-enterprise/.github-public/workflows/build.yml:  GO_VERSION: \"1.25.1\"\n./sonar-iac-enterprise/sonar-helm-for-iac/make.sh:readonly GO_VERSION=\"${GO_VERSION:-1.25.1}\"\n./sonar-iac-enterprise/sonar-helm-for-iac/make.sh:readonly PROTOBUF_GO_VERSION=\"${PROTOBUF_GO_VERSION:-1.36.11}\"\n./sonar-iac-enterprise/.github/workflows/shadow-scans.yml:  GO_VERSION: \"1.25.1\"\n./sonar-iac-enterprise/.github/workflows/build.yml:  GO_VERSION: \"1.25.1\"\n1.31.0.4938\n./sonar-go-enterprise/.github-public/workflows/build.yaml:  GO_VERSION: \"1.25.1\"\n./sonar-go-enterprise/sonar-go-to-slang/make.sh:readonly GO_VERSION=\"${GO_VERSION:-$default_go_version}\"\n./sonar-go-enterprise/.github/workflows/shadow_scan.yml:  GO_VERSION: \"1.25.1\"\n./sonar-go-enterprise/.github/workflows/build.yml:  GO_VERSION: \"1.25.1\""}]},{"type":"paragraph","content":[{"type":"text","text":"The spreadsheet(s) provided by the customer point towards "},{"type":"text","text":"sonar-iac-plugin-1.50.0.16452.jar","marks":[{"type":"code"}]},{"type":"text","text":" as being problematic and not "},{"type":"text","text":"sonar-iac-enterprise","marks":[{"type":"code"}]},{"type":"text","text":" (it looks like the issue may also exist there), but I was not able to find the "},{"type":"text","text":"1.50.0.16452","marks":[{"type":"code"}]},{"type":"text","text":" tag within the "},{"type":"text","text":"sonar-iac","marks":[{"type":"strong"}]},{"type":"text","text":" repository. If there’s somewhere else I need to look for that, please let me know."}]},{"type":"paragraph","content":[{"type":"text","text":"I did not see any matches between any of the above CVEs or extensions in "},{"type":"text","text":"next.sonarqube.com","marks":[{"type":"link","attrs":{"href":"http://next.sonarqube.com"}}]},{"type":"text","text":"."}]},{"type":"paragraph","content":[{"type":"text","text":"If there’s any other info needed from me, please let me know."}]},{"type":"paragraph","content":[{"type":"text","text":"Thanks!"},{"type":"hardBreak"},{"type":"text","text":"Daniel"}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"363387","self":"https://sonarsource.atlassian.net/rest/api/3/issue/363387","key":"SSF-989","fields":{"summary":"Security issue around GitHub project bindings","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"Ref: "},{"type":"text","text":"https://discuss.sonarsource.com/t/discrepancies-in-authentication-behavior-for-github-project-import/23839","marks":[{"type":"link","attrs":{"href":"https://discuss.sonarsource.com/t/discrepancies-in-authentication-behavior-for-github-project-import/23839"}}]}]},{"type":"rule"},{"type":"heading","attrs":{"level":2},"content":[{"type":"text","text":"Discrepancies in authentication behavior for Github Project Import"}]},{"type":"paragraph","content":[{"type":"text","text":"Hi Team,"}]},{"type":"paragraph","content":[{"type":"text","text":"I had a customer who wrote in with concerns about the way SonarQube handles authentication when Importing Github projects using the Github configuration on DevOps Platform Integration."}]},{"type":"paragraph","content":[{"type":"text","text":"During an initial project import, a SonarQube user with permissions to create projects can choose to use any of the Github configurations on the server to perform an import. SonarQube then redirects to the Github login and afterwards, SonarQube only displays projects which the user has access to on Github to import. This means that SonarQube is using the user Github permissions instead of the Github configuration to list the projects available, which sounds right."}]},{"type":"paragraph","content":[{"type":"text","text":"After the initial import however, the user could go to the Project Settings to change the binding to any Github project slug which the Github configuration has access to. The user could even change to any of the Github configurations available on SonarQube and bind to a project that the user does not have access to on Github."}]},{"type":"paragraph","content":[{"type":"text","text":"Would this be the intended behavior? Happy to hear more about product teams thoughts about this."}]},{"type":"paragraph","content":[{"type":"text","text":"Please see below for some screenshots"}]},{"type":"paragraph","content":[{"type":"text","text":"Initial import which routes to a Github login","marks":[{"type":"strong"}]}]},{"type":"mediaSingle","attrs":{"width":568,"widthType":"pixel","layout":"align-start"},"content":[{"type":"media","attrs":{"type":"file","id":"62da6b40-a969-4a6a-a02a-c82989ebabd5","alt":"initial_import","collection":"","height":260,"width":500}}]},{"type":"paragraph"},{"type":"paragraph","content":[{"type":"text","text":"List of projects visible to user","marks":[{"type":"strong"}]}]},{"type":"mediaSingle","attrs":{"width":572,"widthType":"pixel","layout":"align-start"},"content":[{"type":"media","attrs":{"type":"file","id":"761c9e58-dfdf-4a46-8fae-eb02ce63a03b","alt":"github_user_projects","collection":"","height":260,"width":500}}]},{"type":"paragraph"},{"type":"paragraph","content":[{"type":"text","text":"Full list of projects on Github organisation","marks":[{"type":"strong"}]}]},{"type":"mediaSingle","attrs":{"width":574,"widthType":"pixel","layout":"align-start"},"content":[{"type":"media","attrs":{"type":"file","id":"26b366e1-8e22-421c-9815-a9739fa3e118","alt":"full_list_projects_in_github_org","collection":"","height":256,"width":500}}]},{"type":"paragraph"},{"type":"paragraph","content":[{"type":"text","text":"Binding to a project that user cannot see on Github","marks":[{"type":"strong"}]}]},{"type":"mediaSingle","attrs":{"width":580,"widthType":"pixel","layout":"align-start"},"content":[{"type":"media","attrs":{"type":"file","id":"76f2e2f7-161b-4ab5-ad48-fe6589b2bdd7","alt":"bind_to_project_without_access","collection":"","height":257,"width":500}}]},{"type":"paragraph"},{"type":"paragraph","content":[{"type":"text","text":"Regards,"}]},{"type":"paragraph","content":[{"type":"text","text":"Yu Zheng"}]},{"type":"rule"}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"362746","self":"https://sonarsource.atlassian.net/rest/api/3/issue/362746","key":"SSF-988","fields":{"summary":"CVE-2025-6965 in IDE Plugin for IntelliJ","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"Hello, "}]},{"type":"paragraph","content":[{"type":"text","text":"We have received this request from a customer:"}]},{"type":"blockquote","content":[{"type":"paragraph","content":[{"type":"text","text":"Ann Campbell asked me to send the information about this Vulnerability directly to this E-Mail, so:"}]},{"type":"paragraph","content":[{"type":"text","text":"In the latest Version of the “SonarQube for IDE” Plugin for Jetbrains IntelliJ SQLite is used in Version 2.1.0.1603 (according to our Vulnerability Scanner)."}]},{"type":"paragraph","content":[{"type":"text","text":"This version has a critical vulnerability: "},{"type":"text","text":"NVD - CVE-2025-6965","marks":[{"type":"link","attrs":{"href":"https://nvd.nist.gov/vuln/detail/CVE-2025-6965"}},{"type":"underline"}]},{"type":"text","text":" "}]},{"type":"paragraph","content":[{"type":"text","text":"This vulnerability is fixed in SQLite 3.50.2 or later -> is it possible to upgrade that dependency? Otherwise we would have to remove that plugin from our development hosts."}]}]},{"type":"paragraph","content":[{"type":"text","text":"Would you please let me know if their has either already been an update or if there are plans to address this in the SQ IDE?  I am unable to find a matching finding in Next."}]},{"type":"paragraph","content":[{"type":"text","text":"Best,"}]},{"type":"paragraph","content":[{"type":"text","text":"Conner"}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"359772","self":"https://sonarsource.atlassian.net/rest/api/3/issue/359772","key":"SSF-986","fields":{"summary":"SOQ-19-009 WP1: CSP bypass still allowed via lax script-src allowlist (Low)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"Upon retesting the Content Security Policy (CSP) bypass issue that was previously reported as SOQ-16-007 WP1: CSP bypass via lax script-src allowlist (Low) in the SOQ-16 report, it was found that several bypasses allowing the execution of arbitrary JavaScript still exist."}]},{"type":"paragraph","content":[{"type":"text","text":"When comparing the previous CSP rules, it was found that the 'unsafe-eval' source expression has been removed. However, origins that have known script gadgets capable of executing arbitrary JavaScript are still listed. Through this, when a bug exists that allows arbitrary HTML to be written, arbitrary JavaScript can be executed with ease."}]},{"type":"paragraph","content":[{"type":"text","text":"In the following highlighted origins, one or more script gadgets that allow arbitrary JavaScript execution, or partial method invocation known as SOME (Same Origin Method Execution) have been confirmed:"}]},{"type":"paragraph","content":[{"type":"text","text":"CSP:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"Content-Security-Policy: default-src 'self'; script-src 'self' 'sha256-\nIgMQOOOedQeMPBl7lSreMVPmJvU62bc6l8HcsGXnbWc='\nhttps://*.analytics.google.com https://*.google-analytics.com\nhttps://*.googletagmanager.com https://tagmanager.google.com\nhttps://www.google.com   https://*.clarity.ms\nhttps://pagead2.googlesyndication.com https://google.com\nhttps://bat.bing.com  https://*.g.doubleclick.net https://*.google.com\nhttps://snap.licdn.com https://static.ads-twitter.com\nhttps://cdn.cookielaw.org https://sentry.io https://*.sentry.io\nhttps://*.fullstory.com https://*.sprig.com https://*.stripe.com/\nhttps://*.getbeamer.com; [...]"}]},{"type":"paragraph","content":[{"type":"text","text":"Based on the allowed "},{"type":"text","text":"https://tagmanager.google.com","marks":[{"type":"link","attrs":{"href":"https://tagmanager.google.com"}}]},{"type":"text","text":" or https://*.google.com, arbitrary JavaScript execution is permitted through the following AngularJS call:"}]},{"type":"paragraph","content":[{"type":"text","text":"Bypass #1:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"html"},"content":[{"type":"text","text":"<iframe srcdoc='\n<script src=\"https://tagmanager.google.com/js/gtm_compiled.js\"></script>\n<script src=\"https://tagmanager.google.com/js/lib.js\"></script>\n<input autofocus ng-app ng-\nblur=\"$event.target.ownerDocument.defaultView.alert($event.target.ownerDocu\nment.domain)\"><meta http-equiv=refresh content=0;url=mailto:>\n'></iframe>"}]},{"type":"paragraph","content":[{"type":"text","text":"Also, based on the allowed "},{"type":"text","text":"https://www.google.com","marks":[{"type":"link","attrs":{"href":"https://www.google.com"}}]},{"type":"text","text":" or https://*.google.com, arbitrary JavaScript execution is permitted through the following AngularJS call:"}]},{"type":"paragraph","content":[{"type":"text","text":"Bypass #2:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"html"},"content":[{"type":"text","text":"<script src=\"https://www.google.com/recaptcha/about/js/main.min.js\"></script>\n<img src=x ng-on-error=$event.target.ownerDocument.defaultView.alert(1)>"}]},{"type":"paragraph","content":[{"type":"text","text":"Additionally, the allowed https://*.googletagmanager.com, https://*.google-analytics.com, and https://*.g.doubleclick.net are known to have JSONP endpoints that allow SOME. "}]},{"type":"paragraph","content":[{"type":"text","text":"To mitigate the threat of XSS, it is recommended to set a strict CSP header. In particular, a nonce-based CSP is recommended in this case. A CSP based on a host allowlist is not recommended, since there is no reliable way to guarantee that external hosts do not contain script gadgets that allow arbitrary script execution."}]},{"type":"paragraph","content":[{"type":"text","text":"References:","marks":[{"type":"strong"}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"https://cspbypass.com/#g.doubleclick.net","marks":[{"type":"link","attrs":{"href":"https://cspbypass.com/#g.doubleclick.net"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"https://cspbypass.com/#google-analytics.com","marks":[{"type":"link","attrs":{"href":"https://cspbypass.com/#google-analytics.com"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"https://cspbypass.com/#tagmanager.com","marks":[{"type":"link","attrs":{"href":"https://cspbypass.com/#tagmanager.com"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"https://web.dev/articles/strict-csp?hl=en","marks":[{"type":"link","attrs":{"href":"https://web.dev/articles/strict-csp?hl=en"}}]}]}]}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"359770","self":"https://sonarsource.atlassian.net/rest/api/3/issue/359770","key":"SSF-985","fields":{"summary":"SOQ-19-008 WP1: Client-side path traversal in Architecture UI (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"Following the discovery of the SOQ-19-002 and SOQ-19-004 issue, a client-side path traversal issue was found in the Architecture functionality of the SonarQube application. The affected page (/project/architecture/discovery) receives the string specified in the portfolioId parameter, then utilizes this string to initiate an API request. However, path traversal occurs here due to a lack of adequate validation."}]},{"type":"paragraph","content":[{"type":"text","text":"The issue can be reproduced by opening the following URL. If the URL is opened by an authenticated user, then a preflight request will be sent to /arbitrary/api-origin/path by the client-side JavaScript, instead of being sent to the expected API endpoint. Notably, the id parameter must specify the id of a project to which the logged-in user has access."}]},{"type":"paragraph","content":[{"type":"text","text":"PoC:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"https://sc-staging.io/project/architecture/discovery?id=cure53-test-1_mk-test&portfolioId=../../arbitrary/api-origin/path"}]},{"type":"paragraph","content":[{"type":"text","text":"Sent request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"json"},"content":[{"type":"text","text":"OPTIONS https://api.sc-staging.io/arbitrary/api-origin/path HTTP/1.1\nHost: api.sc-staging.io\nConnection: keep-alive\nAccept: */*\nAccess-Control-Request-Method: GET\nAccess-Control-Request-Headers: x-xsrf-token\n[...]"}]},{"type":"paragraph","content":[{"type":"text","text":"The portfolioId parameter is retrieved via the following code:"}]},{"type":"paragraph","content":[{"type":"text","text":"Affected file:","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"type":"text","text":"src/apps/portfolios/hooks/usePortfolio.tsx","marks":[{"type":"em"}]}]},{"type":"paragraph","content":[{"type":"text","text":"Affected code:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"java"},"content":[{"type":"text","text":"export default function usePortfolio() {\nconst params = useParams() as { portfolioId: string };\nconst [searchParams] = useSearchParams();\nconst portfolioId = params?.portfolioId ??\nsearchParams.get('portfolioId');\n[...]\n}"}]},{"type":"paragraph","content":[{"type":"text","text":"To mitigate the potential risks discussed in SOQ-19-002, it is recommended to validate that the string specified in the portfolioId parameter for sending API requests conforms to the expected format (in this case, a UUID)."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"359764","self":"https://sonarsource.atlassian.net/rest/api/3/issue/359764","key":"SSF-982","fields":{"summary":"SOQ-19-004 WP1: Multiple client-side path traversal issues in Portfolio UI (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"While covering the UI component of the Dynamic Portfolio Definition feature, the testing team noted several client-side path traversal issues in the Portfolio UI. Insufficient validation of user-controlled path segments allowed attackers to manipulate client-side navigation paths, and to trigger unintended API routes via OPTIONS requests."}]},{"type":"paragraph","content":[{"type":"text","text":"The issue can be reproduced by opening one of the following URLs. If an authenticated user opens the URL, then the client-side JavaScript will send a preflight request to /arbitrary/api-origin/path instead of the expected API endpoint:"}]},{"type":"paragraph","content":[{"type":"text","text":"Affected URLs:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"https://sc-staging.io/enterprise/cure53/portfolios-permission-templates/%252e%09%252e%5c%252e%09%252e%5carbitrary%5capi-origin%5cpath\nhttps://sc-staging.io/enterprise/cure53/portfolios/%252e%09%252e%5c%252e%09%252e%5carbitrary%5capi-origin%5cpath"}]},{"type":"paragraph","content":[{"type":"text","text":"Sent request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"json"},"content":[{"type":"text","text":"OPTIONS https://api.sc-staging.io/arbitrary/api-origin/path HTTP/1.1\nHost: api.sc-staging.io\nAccess-Control-Request-Method: GET\nAccess-Control-Request-Headers: x-xsrf-token\n[...]"}]},{"type":"paragraph","content":[{"type":"text","text":"To mitigate this issue, it is recommended to follow the guidance outlined in SOQ-19-002."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"359762","self":"https://sonarsource.atlassian.net/rest/api/3/issue/359762","key":"SSF-981","fields":{"summary":"SOQ-19-003 WP1: JavaScript source maps disclose unpacked source code (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"While reviewing the application, Cure53 noted that JavaScript source maps are publicly available, with the path advertised in an easily discoverable location. This behavior may expose a vast array of information. While this fault does not evoke a direct security risk at present, it may prove beneficial for opportunistic actors attempting to locate hardcoded sensitive data or vulnerabilities in the source code."}]},{"type":"paragraph","content":[{"type":"text","text":"Selected source map locations:"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"https://sc-staging.io/highlightjs-CFvgWmRf.js.map","marks":[{"type":"link","attrs":{"href":"https://sc-staging.io/highlightjs-CFvgWmRf.js.map"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"https://sc-staging.io/FormField-BQB-DHr9.js.map","marks":[{"type":"link","attrs":{"href":"https://sc-staging.io/FormField-BQB-DHr9.js.map"}}]}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"It should be noted that further publicly available source maps also exist. Only a selection is shown here."}]},{"type":"paragraph","content":[{"type":"text","text":"To mitigate this issue, Cure53 advises altering the deployment process to ensure that source maps are not pushed to publicly reachable locations."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"359760","self":"https://sonarsource.atlassian.net/rest/api/3/issue/359760","key":"SSF-980","fields":{"summary":"SOQ-19-002 WP1: Client-side path traversal in Custom Dashboard (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"Testing confirmed the presence of a client-side path traversal issue in the Custom Dashboard functionality of the SonarQube application. The affected page (/project/dashboards/[uuid]) receives the string specified in the URL's pathname, then utilizes this string to initiate an API request. However, path traversal occurs here due to a lack of adequate validation."}]},{"type":"paragraph","content":[{"type":"text","text":"The issue can be reproduced by opening the following URL. If the URL is opened by an authenticated user, then a preflight request will be sent to /arbitrary/api-origin/path by the client-side JavaScript, instead of being sent to the expected API endpoint. Notably, the id parameter must specify the id of a project to which the logged-in user has access."}]},{"type":"paragraph","content":[{"type":"text","text":"PoC:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"https://sc-staging.io/project/dashboards/%252e%09%252e%5c%252e%09%252e%5carbitrary%5capi-origin%5cpath?id=cure53organization_iframe-src-onload-event-target-src-javascript-import-boxxssy-h4x-tv-pl-js-iframe"}]},{"type":"paragraph","content":[{"type":"text","text":"Sent request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"json"},"content":[{"type":"text","text":"OPTIONS https://api.sc-staging.io/arbitrary/api-origin/path HTTP/1.1\nHost: api.sc-staging.io\nConnection: keep-alive\nPragma: no-cache\nCache-Control: no-cache\nAccept: */*\nAccess-Control-Request-Method: GET\nAccess-Control-Request-Headers: x-xsrf-token\n[...]"}]},{"type":"paragraph","content":[{"type":"text","text":"This issue has the following potential impacts:"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Content spoofing or Cross-Site Scripting (XSS):","marks":[{"type":"strong"}]},{"type":"text","text":" if it is possible to specify an endpoint that returns an arbitrary JSON response via path traversal, then content displayed in the UI can be spoofed. In the worst case, depending on how JSON properties are used, this may lead to arbitrary JavaScript execution. This scenario is commonly possible when an application offers a feature to host user-generated files, or when endpoints allow open redirects."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Cross-Site Request Forgery (CSRF):","marks":[{"type":"strong"}]},{"type":"text","text":" if there is an endpoint that changes state, then CSRF may be possible by specifying that endpoint via the path traversal. This is because the x-xsrf-token request header intended to prevent CSRF is included in this request. To exploit this behavior in this case, an endpoint that changes state using just GET requests with the x-xsrf-token request header must exist."}]},{"type":"paragraph","content":[{"type":"text","text":"Fortunately, no endpoints enabling these exploits were identified within the https://api.sc-staging.io  origin during the testing period."}]},{"type":"paragraph","content":[{"type":"text","text":"Nevertheless, in order to mitigate these potential risks, it is recommended to validate that the string specified in the path for sending API requests conforms to the expected format (in this case, a UUID)."}]}]}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"359758","self":"https://sonarsource.atlassian.net/rest/api/3/issue/359758","key":"SSF-979","fields":{"summary":"SOQ-19-011 WP1: Regular expression DoS in portfolio definition (Medium)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"During the review of the Dynamic Portfolio Definition feature, it became apparent that the portfolio definition logic allows users to set a custom regular expression to select project keys for new portfolios. However, it was discovered that attackers have complete control over the provided regular expression, and that project keys can be up to 400 characters long. This creates a vulnerability known as Regular Expression Denial of Service (ReDoS). Certain regular expressions can result in exponential time complexity, due to the risk of catastrophic backtracking."}]},{"type":"paragraph","content":[{"type":"text","text":"This risk is further amplified because the regular expression is evaluated against every project key. As a result, attackers can increase the impact by creating a large number of projects with maliciously-crafted project keys. Further investigation revealed that no execution timeout or safeguard is implemented for regular expression evaluation."}]},{"type":"paragraph","content":[{"type":"text","text":"Although active exploitation was not confirmed because testing was halted to prevent any impact on the shared staging environment used by the development team, the observed behavior indicates a credible Denial of Service (DoS) risk."}]},{"type":"paragraph","content":[{"type":"text","text":"The following steps outline how to reproduce this issue:"}]},{"type":"paragraph","content":[{"type":"text","text":"Steps to reproduce:","marks":[{"type":"strong"}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Navigate to "},{"type":"text","text":"https://sc-staging.io/","marks":[{"type":"link","attrs":{"href":"https://sc-staging.io/"}}]},{"type":"text","text":" and log in as enterprise admin."}]}]}]},{"type":"orderedList","attrs":{"order":2},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Create a new project containing the malicious project key as specified in the request below:"}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Example request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"json"},"content":[{"type":"text","text":"POST /api/projects/create HTTP/2\nHost: sc-staging.io\nCookie: XSRF-TOKEN=<Token>; JWT-SESSION=<Session>\nX-Xsrf-Token: <Token>\nContent-Length: 195\nContent-Type: application/x-www-form-urlencoded\n[...]\nproject=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&name=d&organization=cure53organization&visibility=private&newCodeDefinitionType\n=previous_version&newCodeDefinitionValue=previous_version"}]},{"type":"paragraph","content":[{"type":"text","text":"Response:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"json"},"content":[{"type":"text","text":"HTTP/2 200 OK\n[...]\n{\"project\":\n{\"key\":\"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\",\"name\":\"d\",\"qualifier\":\"TRK\",\"visibility\":\"private\",\"uuid\":\"AZw0Otv8FnOZjfc932\nzf\"}}"}]},{"type":"orderedList","attrs":{"order":3},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Create a new portfolio and intercept the example request provided below, to trigger the ReDoS vulnerability:"}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Example request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"json"},"content":[{"type":"text","text":"PATCH /enterprises/portfolios/ad007266-26c0-45b2-9118-b152c1baee2f?\nsimulate=true HTTP/2\nHost: api.sc-staging.io\nCookie: XSRF-TOKEN=<Token>; JWT-SESSION=<Session>\nX-Xsrf-Token: <Token>\nContent-Length: 68\nContent-Type: application/json\n{\"selection\":\"regex\",\"regularExpression\":\"(.*a){65}\",\"branchKey\":\"\"}"}]},{"type":"orderedList","attrs":{"order":4},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Note that the response duration is 4-5 seconds and increases exponentially with the project key length."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"To mitigate this issue, it is recommended to restrict the allowed regular expression syntax to a safe subset, to enforce strict execution timeouts, and to consider using a non-backtracking regular expression engine or alternative matching logic that guarantees linear time complexity."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"359754","self":"https://sonarsource.atlassian.net/rest/api/3/issue/359754","key":"SSF-977","fields":{"summary":"SOQ-19-007 WP1: Lack of ACL when updating portfolios leaks project count (Low)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"During the assessment, it was observed that the dynamic portfolio creation functionality allows projects to be referenced by organizationIds when updating portfolios. It was discovered that access control checks were not enforced for these organizationIds, which allowed authenticated attackers to specify organizationIds for organizations to which they did not have authorized access. As a result, attackers were able to infer the total number of projects associated with those organizations - including private projects. Further investigation confirmed that no additional information - such as project summaries, metadata, or reports related to private projects - could be disclosed through this behavior. The impact was therefore limited to the disclosure of project counts only, and this finding was therefore assessed as being of Low severity."}]},{"type":"paragraph","content":[{"type":"text","text":"The following example request explains how to reproduce this issue by referencing other organizationIds and disclosing the total number of projects:"}]},{"type":"paragraph","content":[{"type":"text","text":"Example request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"json"},"content":[{"type":"text","text":"PATCH /enterprises/portfolios/e3c6c9cd-ed55-464a-9a71-f86254fccbeb?simulate=false HTTP/2\nHost: api.sc-staging.io\nCookie: XSRF-TOKEN=<Token>; JWT-SESSION=<Session>\nX-Xsrf-Token: <Token>\n[...]\n{\"selection\":\"organizations\",\"organizationIds\":[\"fd363a75-ee69-481a-a7f8-\ne3f8de58e03c\",\"a14f59f6-f6ea-46e8-80ca-1fffd90d5602\"],\"branchKey\":\"\"}"}]},{"type":"paragraph","content":[{"type":"text","text":"Response:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"json"},"content":[{"type":"text","text":"HTTP/2 200 OK\n[...]\n{\"id\":\"e3c6c9cd-ed55-464a-9a71-f86254fccbeb\",\"enterpriseId\":\"4c25b30c-763c-48fe-859f-e56cb86ad4d2\",\"name\":\"ACL\nTEST\",\"selection\":\"organizations\",\"description\":\"dwqdwq\",\"projects\":\n[],\"tags\":[],\"organizationIds\":[\"fd363a75-ee69-481a-a7f8-e3f8de58e03c\",\"a14f59f6-f6ea-46e8-80ca-1fffd90d5602\"],\"projectsMatched\":4,\"projectCount\":4,\"isDraft\":false,\"draftS\ntage\":0}"}]},{"type":"paragraph","content":[{"type":"text","text":"To mitigate this issue, it is recommended to enforce strict access control checks when processing organizationIds during portfolio updates, to ensure that only organizations explicitly authorized for the authenticated user can be referenced."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"359438","self":"https://sonarsource.atlassian.net/rest/api/3/issue/359438","key":"SSF-975","fields":{"summary":"PARENT: SonarCloud Pentest - February 2026","description":{"type":"doc","version":1,"content":[{"type":"heading","attrs":{"level":1},"content":[{"type":"text","text":"Umbrella ticket for SonarCloud Pentest - February 2026"}]},{"type":"paragraph","content":[{"type":"text","text":"Test Dates: 02.02.2026 - 06.02.2026"}]},{"type":"heading","attrs":{"level":3},"content":[{"type":"text","text":"Identified Vulnerabilities"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SOQ-19-001 WP1: Dashboards endpoint discloses creators (Low)"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SOQ-19-007 WP1: Lack of ACL when updating portfolios leaks project count (Low)"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SOQ-19-010 WP1: Enterprise admin deletion does not revoke admin access (High)"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SOQ-19-011 WP1: Regular expression DoS in portfolio definition (Medium)"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"type":"text","text":"Miscellaneous Issues"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SOQ-19-002 WP1: Client-side path traversal in Custom Dashboard (Info)"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SOQ-19-003 WP1: JavaScript source maps disclose unpacked source code (Info)"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SOQ-19-004 WP1: Multiple client-side path traversal issues in Portfolio UI (Info)"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SOQ-19-005 WP1: S3 filename injection when generating portfolio report (Low)"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SOQ-19-006 WP1: Potential DoS via pageSize in portfolios endpoint (Medium)"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SOQ-19-008 WP1: Client-side path traversal in Architecture UI (Info)"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SOQ-19-009 WP1: CSP bypass still allowed via lax script-src allowlist (Low)"}]}]}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"358251","self":"https://sonarsource.atlassian.net/rest/api/3/issue/358251","key":"SSF-972","fields":{"summary":"Any user can access project association data for Quality Gates","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"The "},{"type":"text","text":"/quality-gates/project-association","marks":[{"type":"code"}]},{"type":"text","text":" endpoint gives information about projects being associated to a specific quality gate ("},{"type":"text","text":"API docs","marks":[{"type":"link","attrs":{"href":"https://api-docs.sonarsource.com/sonarqube-cloud/default/public-qualitygates-1-0-0"}}]},{"type":"text","text":"). It returns the following information:"}]},{"type":"codeBlock","attrs":{"language":"json"},"content":[{"type":"text","text":"{\n  \"projectAssociations\": [\n    {\n      \"id\": \"string\",\n      \"qualityGateId\": \"string\",\n      \"projectId\": \"string\",\n      \"defaultFallback\": true\n    }\n  ],\n  \"page\": {\n    \"pageIndex\": 0,\n    \"pageSize\": 0,\n    \"total\": 0\n  }\n}"}]},{"type":"paragraph"},{"type":"paragraph","content":[{"type":"text","text":"We’re currently not checking whether the user has access to this organization.","marks":[{"type":"strong"}]},{"type":"text","text":" This means a user could, if they have a private organization’s UUID and, either, a Quality Gate UUID or a Project UUID, call this API and get access to private information."}]},{"type":"paragraph","content":[{"type":"text","text":"The “worst-case” is if the user has an organization UUID and a Quality Gate UUID, which will potentially allow them to enumerate a long list of Project UUIDs."}]},{"type":"paragraph","content":[{"type":"text","text":"The exposed data is not sensitive in itself, as it is only a list of UUIDs. But it could enable enumeration attacks on other endpoints."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"336628","self":"https://sonarsource.atlassian.net/rest/api/3/issue/336628","key":"SSF-965","fields":{"summary":"SOQ-18-009 WP1: SonarSecrets CLI allows HTTP SonarQube server URL (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"While testing the SonarSecrets CLI, it was observed that the authentication flow accepts HTTP URLs. If a user misconfigures the setup to use HTTP instead of HTTPS, then attackers on the same network could perform a Manipulator-in-the-Middle (MitM) attack and intercept the Authorization Bearer token. This misconfiguration weakens the security of the authentication process and exposes users to credential leakage."}]},{"type":"paragraph","content":[{"type":"text","text":"The following PoC outlines how to reproduce this issue:"}]},{"type":"paragraph","content":[{"type":"text","text":"PoC:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"SONAR_SECRETS_TOKEN=sqa_5852[..]535\nSONAR_SECRETS_AUTH_URL=http://127.0.0.1:1337 ./sonar-secrets-2.35.0.10002-\nlinux-x86-64 DVWA-master/"}]},{"type":"paragraph","content":[{"type":"text","text":"Observed request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"Connection received on localhost 53742\nGET /api/editions/is_valid_license HTTP/1.1\nConnection: Upgrade, HTTP2-Settings\nHost: 127.0.0.1:1337\nHTTP2-Settings: AAEAAEAAAAIAAAAAAAMAAAAAAAQBAAAAAAUAAEAAAAYABgAA\nUpgrade: h2c\nUser-Agent: Java-http-client/25\nAuthorization: Bearer sqa_5852[..]535"}]},{"type":"paragraph","content":[{"type":"text","text":"To mitigate this issue, it is advised that HTTP URLs should not be enabled by default, and that users should be warned when attempting to configure an insecure HTTP URL."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"336624","self":"https://sonarsource.atlassian.net/rest/api/3/issue/336624","key":"SSF-963","fields":{"summary":"SOQ-18-007 WP1: Limited Markdown injection via malicious filenames (Low)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"During testing of the Jira Cloud integration, it was observed that scanned issues may include attacker-controlled filenames. When these issues are pushed to the Jira instance, the filenames are neither sanitized nor validated. Because Jira tickets render Markdown by default, projects containing files with crafted filenames - such as ‘!foo.png! .php’ or ‘a **test**b.php’ can trigger limited Markdown injection in the resulting Jira tickets. Such manipulated tickets could be used to fool developers, or potentially to phish them, by presenting misleading or deceptive information."}]},{"type":"paragraph","content":[{"type":"text","text":"Testing showed that generating valid HTTP Markdown links was not feasible, because the multiple slashes required by the HTTP protocol were stripped during processing. However, filename values can still be spoofed by intercepting and modifying requests sent to the SonarQube instance - potentially influencing how the content is rendered in Jira."}]},{"type":"paragraph","content":[{"type":"text","text":"The following example request illustrates how a malicious filename could be used to modify the Markdown in a Jira ticket:"}]},{"type":"paragraph","content":[{"type":"text","text":"Example request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"POST /pentesting/api/v2/jira/work-items HTTP/1.1\nHost: audit.sonarqube.com\nCookie: XSRF-TOKEN=gc[..]8i; JWT-SESSION=ey[...]4w\nContent-Length: 820\nX-Xsrf-Token: gc[..]8i\nContent-Type: application/json\n\n{\"summary\":\"SonarQube issue - Change this code to not reflect unsanitized\nuser-controlled data.\",\"description\":\"\\n*SonarQube issue link:*\\n[Change\nthis code to not reflect unsanitized user-controlled\ndata.|https://audit.sonarqube.com/pentesting/project/issues?open=501f2439-\n51e5-4b5b-9860-a1abf8070cb9&id=d]\\n\\n*Where is the issue?*\\n- File: d > a\n**test** b.php\\n- Code line: 2\\n- Introduced on: December 05, 2025, 13:51\\\nn\\n*Why is this an issue and how to fix\nit?*\\n[phpsecurity:S5131|https://audit.sonarqube.com/pentesting/coding_rule\ns?open=phpsecurity%3AS5131&rule_key=phpsecurity%3AS5131]\\n\\n*Impact*\\n-\nSoftware quality - SECURITY\\n\\n*Creator:* Unknown\\\nn\",\"sonarProjectId\":\"6147c44a-708c-456b-b286-\n43723ef24317\",\"resourceId\":\"501f2439-51e5-4b5b-9860-\na1abf8070cb9\",\"resourceType\":\"SONAR_ISSUE\",\"workTypeId\":\"10001\"}"}]},{"type":"paragraph","content":[{"type":"text","text":"Response:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"HTTP/1.1 201\n[...]\n{\"id\":\"8f39e252-e75e-40c4-8910-\n16508ca283b9\",\"jiraIssueId\":\"10096\",\"jiraIssueKey\":\"KAN-\n33\",\"jiraIssueUrl\":\"https://cure53.atlassian.net/browse/KAN-33\",\"jiraIssueStatus\":null}"}]},{"type":"paragraph","content":[{"type":"text","text":"To address this issue, it is advised that filenames in scan results should be sanitized or validated on the server-side. This will prevent attacker-controlled filenames from injecting unintended Markdown content into Jira tickets."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"336622","self":"https://sonarsource.atlassian.net/rest/api/3/issue/336622","key":"SSF-962","fields":{"summary":"SOQ-18-006 WP1: JavaScript source maps disclose unpacked source code (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"The audit team observed that JavaScript source maps are enabled in the web UI, which allows anyone to view the original, unobfuscated React source code. Although much of the UI source is publicly available, this may not hold for enterprise versions, which is the reason for this ticket being created."}]},{"type":"paragraph","content":[{"type":"text","text":"While this issue does not pose a direct security risk at present, it may provide attackers with additional insight into the application’s structure, and potentially help them to identify further vulnerabilities."}]},{"type":"paragraph","content":[{"type":"text","text":"Affected URLs:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"https://audit.sonarqube.com/pentesting/js/App-B6p_GGnl.js.map\nhttps://audit.sonarqube.com/pentesting/js/application-D1O5Aq1g.js.map\nhttps://audit.sonarqube.com/pentesting/js/GraphsHistory-CKoVE1Bc.js.map\n[...]"}]},{"type":"paragraph","content":[{"type":"text","text":"Steps to reproduce:","marks":[{"type":"strong"}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Visit "},{"type":"text","text":"https://audit.sonarqube.com/pentesting/","marks":[{"type":"link","attrs":{"href":"https://audit.sonarqube.com/pentesting/"}}]},{"type":"text","text":" in Chrome."}]}]}]},{"type":"orderedList","attrs":{"order":2},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Open DevTools, navigate to the “Sources” tab, and verify that all client source code is displayed in an unpacked form under the "},{"type":"text","text":"audit.sonarqube.com","marks":[{"type":"link","attrs":{"href":"http://audit.sonarqube.com"}}]},{"type":"text","text":" domain."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"To mitigate this issue, Cure53 recommends configuring the "},{"type":"text","text":"GENERATE_SOURCEMAP=false","marks":[{"type":"em"},{"type":"strong"}]},{"type":"text","text":" environment variable when building the React application. This will allow the disabling of source maps."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"336620","self":"https://sonarsource.atlassian.net/rest/api/3/issue/336620","key":"SSF-961","fields":{"summary":"SOQ-18-002 WP1: Slack OAuth callback redirect can be hardened (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"During testing, it was observed that the Slack SSO authentication’s redirect_uri is sanitized by enforcing static host and protocol values, thereby mitigating the open redirect vulnerability identified during a previous engagement (see SOQ-16-008)."}]},{"type":"paragraph","content":[{"type":"text","text":"However, the path and port components of the redirect_uri can still be manipulated. If the slack.com  host permits redirects from specific internal paths, then attackers could direct the redirect_uri to such a path and exploit it to trigger an open redirect to an attacker-controlled page."}]},{"type":"paragraph","content":[{"type":"text","text":"Affected URL:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"https://audit.sonarqube.com/pentesting/oauth-callback/slack?redirect_uri=https://slack.com:1337/a/bc"}]},{"type":"paragraph","content":[{"type":"text","text":"To mitigate this issue, it is recommended to set the path to /v2/authorize and the port to 443. Additionally, it is advisable to set the redirect URL on the server-side, rather than relying on user-supplied values."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"336618","self":"https://sonarsource.atlassian.net/rest/api/3/issue/336618","key":"SSF-960","fields":{"summary":"SOQ-18-005 WP1: Low-privileged DoS during security report download (Medium)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"Dynamic testing of the security report feature revealed that downloading the full report is resource-intensive and significantly impacts server performance. When 100 parallel requests were issued, the instance was found to consistently crash due to memory exhaustion, resulting in a Denial-of-Service (DoS) vulnerability. In the testing environment, the application did not automatically restart, thereby leaving the service unavailable after a small number of requests."}]},{"type":"paragraph","content":[{"type":"text","text":"Exploitation of this issue requires only project view access. Furthermore, because the report download is triggered via a GET request and the authentication cookies are set to SameSite=Lax, attackers can initiate the download without authentication, if a victim clicks a crafted link. This vulnerability can therefore enable a DoS attack through simple user interaction."}]},{"type":"paragraph","content":[{"type":"text","text":"The following example request can cause the application to crash when executed 100 times in parallel:"}]},{"type":"paragraph","content":[{"type":"text","text":"Example request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"GET /pentesting/api/security_reports/download?project=d&standards= HTTP/1.1\nHost: audit.sonarqube.com\nCookie: JWT-SESSION=ey[..]Q"}]},{"type":"paragraph","content":[{"type":"text","text":"Response:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"HTTP/1.1 500\n[...]\n\n<!doctype html><html lang=\"en\"><head><title>HTTP Status 500 – Internal\nServer Error</title><style type=\"text/css\">body {font-\nfamily:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-\ncolor:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-\nsize:14px;} p {font-size:12px;} a {color:black;} .line\n{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>\nHTTP Status 500 – Internal Server Error</h1></body></html>"}]},{"type":"paragraph","content":[{"type":"text","text":"To mitigate this vulnerability, it is recommended to handle report generation in a dedicated component that is isolated from the main application, and which is protected by strict resource consumption controls. Additionally, it is advised that the implementation of rate-limiting on resource-intensive endpoints will help to prevent excessive load, and will therefore reduce the risk of DoS attacks."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"332189","self":"https://sonarsource.atlassian.net/rest/api/3/issue/332189","key":"SSF-954","fields":{"summary":"O&R SSFs Q4","description":null}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"329634","self":"https://sonarsource.atlassian.net/rest/api/3/issue/329634","key":"SSF-948","fields":{"summary":"(SQC and SQS) Jira integration SSFs ","description":null}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"313268","self":"https://sonarsource.atlassian.net/rest/api/3/issue/313268","key":"SSF-933","fields":{"summary":"SOQ-17-005 WP1: API accepts requests with content-type text/plain (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"During dynamic testing of the API backend, it was found that the API accepts requests with content-type "},{"type":"text","text":"text/plain","marks":[{"type":"em"}]},{"type":"text","text":" and converts the body of the request into valid JSON for the backend. This configuration results in some potentially unintended consequences."}]},{"type":"paragraph","content":[{"type":"text","text":"Specifically, a request with content-type "},{"type":"text","text":"text/plain","marks":[{"type":"em"}]},{"type":"text","text":" constitutes a "},{"type":"text","text":"simple request","marks":[{"type":"link","attrs":{"href":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS#simple_requests"}}]},{"type":"text","text":" which does not trigger a CORS preflight, thus bypassing the CORS policy set by the server. Because of this mechanism, avoiding simple requests to be accepted by the server is a vital "},{"type":"text","text":"security control against CSRF","marks":[{"type":"link","attrs":{"href":"https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/CSRF#avoiding_simple_requests"}}]},{"type":"text","text":"."}]},{"type":"paragraph","content":[{"type":"text","text":"This finding only has an "},{"type":"text","text":"Info","marks":[{"type":"em"}]},{"type":"text","text":" rating because of other security controls in place. In other words, various additional mechanisms prevent active CSRF exploitation. It has to be noted, though, that the overly permissive "},{"type":"text","text":"SameSite","marks":[{"type":"em"}]},{"type":"text","text":" cookie policy ("},{"type":"text","text":"SOQ-17-004","marks":[{"type":"link","attrs":{"href":"https://sonarsource.atlassian.net/browse/SSF-932"}}]},{"type":"text","text":") should be considered in combination with this finding. The two together mean that there are no defense-in-depth mechanisms implemented against CSRF attacks in the SonarQube Cloud API. Failing to secure each and every state changing endpoint with CSRF token verification or incorrectly editing the CORS policy would, therefore, result in a CSRF vulnerability."}]},{"type":"paragraph","content":[{"type":"text","text":"Request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"PATCH /organizations/organizations/cure53organization HTTP/2\nHost: api.sc-staging.io\n[...]\nContent-Type: text/plain\n\n{\"avatar\":\"\",\"description\":\"aaaaa\",\"name\":\"cure53organization\",\"url\":\"\",\"onlyPrivateProjects\":false}"}]},{"type":"paragraph","content":[{"type":"text","text":"Response:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"HTTP/2 200 OK\n[...]\n\n{\"id\":\"AZlcp0h82pt7NE7iHvVa\",\"uuidV4\":\"fb2be2dd-4e76-44fd-9e6e-919f59a8f28d\",\"key\":\"cure53organization\",\"name\":\"cure53organization\",\"description\":\"aaaaa\",\"subscription\":\"PAID\",\"createdAt\":1758196091004,\"updatedAt\":1760090798782,\"newProjectPrivate\":true,\"url\":\"\",\"avatarUrl\":\"\",\"defaultQualityGateUuid\":\"AWBzEoq-FTEFvoJcI01C\",\"onlyPrivateProjects\":false,\"enterpriseUpgradable\":false,\"enterpriseFeatures\":true}"}]},{"type":"paragraph","content":[{"type":"text","text":"Cure53 recommends disallowing the content-type conversion from "},{"type":"text","text":"text/plain","marks":[{"type":"em"}]},{"type":"text","text":" into valid JSON in order to prevent simple HTTP requests that could potentially bypass CORS validation from reaching the backend. For additional security,"},{"type":"text","text":" ","marks":[{"type":"em"}]},{"type":"text","text":"fetch metadata ","marks":[{"type":"link","attrs":{"href":"https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header"}},{"type":"em"}]},{"type":"text","text":"request headers","marks":[{"type":"link","attrs":{"href":"https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header"}}]},{"type":"text","text":" should be checked by the server to determine the origin of a request, further improving the site’s defense-in-depth against CSRF."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"313266","self":"https://sonarsource.atlassian.net/rest/api/3/issue/313266","key":"SSF-932","fields":{"summary":"SOQ-17-004 WP1: Overly permissive SameSite cookie policy (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"It was found that the "},{"type":"text","text":"SameSite","marks":[{"type":"em"}]},{"type":"text","text":" attribute for the session cookie used to authenticate to the SonarQube Cloud web UI is set to "},{"type":"text","text":"None","marks":[{"type":"em"}]},{"type":"text","text":". The "},{"type":"text","text":"SameSite","marks":[{"type":"link","attrs":{"href":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value"}},{"type":"em"}]},{"type":"text","text":" attribute","marks":[{"type":"link","attrs":{"href":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value"}}]},{"type":"text","text":" controls whether or not a cookie is sent with cross-site requests, providing controls for protecting against Cross-Site Request Forgery (CSRF) attacks. The "},{"type":"text","text":"None","marks":[{"type":"em"}]},{"type":"text","text":" value for this attribute is the most permissive, allowing the cookie to be sent with requests originating from another host, using the JavaScript fetch API."}]},{"type":"paragraph","content":[{"type":"text","text":"With other CSRF protections in place - such as a CORS policy and CSRF tokens - modification of the "},{"type":"text","text":"SameSite","marks":[{"type":"em"}]},{"type":"text","text":" attribute can be viewed as a hardening measure, rather than a necessary security fix. However, it is advised that the proposed mechanism would serve as an additional line of defense if a new endpoint was introduced or changed without proper CSRF token validation."}]},{"type":"paragraph","content":[{"type":"text","text":"Steps to reproduce:","marks":[{"type":"strong"}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Open the "},{"type":"text","text":"browser dev tools","marks":[{"type":"em"}]},{"type":"text","text":" on the SonarQube Cloud website while being authenticated."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Navigate to the "},{"type":"text","text":"Storage/Cookies","marks":[{"type":"em"}]},{"type":"text","text":" location."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"View the details of the "},{"type":"text","text":"JWT-SESSION","marks":[{"type":"em"}]},{"type":"text","text":" cookie, which demonstrates that the "},{"type":"text","text":"SameSite","marks":[{"type":"em"}]},{"type":"text","text":" attribute is set to "},{"type":"text","text":"None","marks":[{"type":"em"}]},{"type":"text","text":"."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Cure53 recommends setting the "},{"type":"text","text":"SameSite","marks":[{"type":"em"}]},{"type":"text","text":" attribute to "},{"type":"text","text":"Lax","marks":[{"type":"em"}]},{"type":"text","text":". This will block cross-site JavaScript from sending state-changing requests and leaking information while still retaining the possibility to use authentication cookies for redirects from other sites."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"313264","self":"https://sonarsource.atlassian.net/rest/api/3/issue/313264","key":"SSF-931","fields":{"summary":"SOQ-17-002 WP1: Enumeration of valid token IDs and organization UUIDs (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"While performing dynamic testing of the in-scope application, Cure53 identified multiple instances of sensitive information disclosure through enumeration and a lack of requirement for authentication for data retrieval. An Internet-based unauthenticated attacker can obtain information relating to the organizations managed by the SonarQube application. In addition, an authenticated attacker can determine validity of the scoped "},{"type":"text","text":"access","marks":[{"type":"em"}]},{"type":"text","text":" tokens belonging to other organizations within the application."}]},{"type":"paragraph","content":[{"type":"text","text":"Such information presents negligible security risk by itself, which is why this finding has just an "},{"type":"text","text":"Info","marks":[{"type":"em"}]},{"type":"text","text":" grade. However, information of this type can still aid attackers in crafting further scenarios aimed at abusing the SonarSource estate or SonarQube web application. While multiple techniques were identified to retrieve organization and token ID data, a single example has been provided with steps to reproduce below to illustrate the flaw."}]},{"type":"paragraph","content":[{"type":"text","text":"Other affected endpoints are also documented to a lesser extent. It should be underlined that valid requests to add organizations to an enterprise disclose organization UUIDs in the case the requesting user is not permitted to add the specified organization. The "},{"type":"text","text":"organization search","marks":[{"type":"em"}]},{"type":"text","text":" functionality provides unauthenticated Internet-based users the ability to retrieve organization information such as the organization "},{"type":"text","text":"name","marks":[{"type":"em"}]},{"type":"text","text":" and "},{"type":"text","text":"key","marks":[{"type":"em"}]},{"type":"text","text":" values. Finally, the "},{"type":"text","text":"organization retrieval","marks":[{"type":"em"}]},{"type":"text","text":" endpoint allows access to the organization ID, UUID, subscription type, etc."}]},{"type":"paragraph","content":[{"type":"text","text":"Affected endpoints:","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"GET /authentication/token-definitions/{id}","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"POST /enterprises/enterprise-organizations","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"GET /api/organizations/search","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"GET /organizations/organizations","marks":[{"type":"em"}]}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Steps to reproduce:","marks":[{"type":"strong"}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"In organization A, create a scoped "},{"type":"text","text":"access","marks":[{"type":"em"}]},{"type":"text","text":" token. Take note of the "},{"type":"text","text":"token-id-org-A","marks":[{"type":"em"}]},{"type":"text","text":"."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Log into organization B and take note of the "},{"type":"text","text":"login-cookie-org-B","marks":[{"type":"em"}]},{"type":"text","text":"."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Use the session for organization to poll the "},{"type":"text","text":"delete token","marks":[{"type":"em"}]},{"type":"text","text":" endpoint in a manner presented next."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Request 1:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"DELETE /authentication/token-definitions/{token-id-org-A} HTTP/2\nHost: api.sc-staging.io\nCookie: JWT-SESSION={login-cookie-org-B}\n[...]"}]},{"type":"paragraph","content":[{"type":"text","text":"Response 1:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"HTTP/2 403 Forbidden\n[...]\n\n{\"message\":\"User is not an admin of the organization\"}"}]},{"type":"orderedList","attrs":{"order":4},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"If the token has been revoked, the endpoint returns a different error message."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Response 2:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"HTTP/2 404 Not Found\n[...]\n\n{\"message\":\"Token not found\"}"}]},{"type":"paragraph","content":[{"type":"text","text":"Cure53 recommends careful implementation of authorization controls to prevent the enumeration of the organization ID, key, subscription type and UUID to platform users that should not have access to the given organization. Furthermore, Cure53 believes that ensuring authentication should be required for all functionality that is not intended for unauthenticated users."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"313260","self":"https://sonarsource.atlassian.net/rest/api/3/issue/313260","key":"SSF-930","fields":{"summary":"SOQ-17-003 WP1: Various ACL issues with scoped tokens (Low)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"While auditing the scoped token feature of the SonarQube Cloud app, several potential ACL issues for both cross-organization, as well as cross-project realms, were identified by the Cure53 testers."}]},{"type":"paragraph","content":[{"type":"text","text":"For example, it is possible for a token scoped for one project to access the quality profiles and quality gates of other projects in the same org. Scoped tokens are also able to access rules and quality gates in other organizations. They can also check whether the SCA feature is enabled, or read basic meta information about other organizations."}]},{"type":"paragraph","content":[{"type":"text","text":"It was additionally found that tokens can read all accounts (including email addresses) of the current organization. This presumably exceeds privileges for these scoped down access tokens that are meant to only grant minimal access."}]},{"type":"paragraph","content":[{"type":"text","text":"The severity of this finding was set to Low because no personally identifiable information (PII) or intellectual property-related data could be leaked through these issues. The ACL issues are enumerated in the following listing."}]},{"type":"paragraph","content":[{"type":"text","text":"Cross-project ACL - affected endpoints:","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"/api/qualityprofiles/search","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"/quality-gates/project-associations","marks":[{"type":"em"}]}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Cross-organization ACL - affected endpoints:","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"/sca/feature-enabled","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"/api/rules/app","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"/api/organizations/search","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"/quality-gates/project-associations","marks":[{"type":"em"}]}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"General ACL - affected endpoints:","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"/api/organizations/search_members","marks":[{"type":"em"}]}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Cure53 recommends limiting access to the scoped tokens to the local project and organization. The SonarQube deployment should more closely adhere to the principles of "},{"type":"text","text":"least privilege","marks":[{"type":"link","attrs":{"href":"https://csrc.nist.gov/glossary/term/least_privilege"}}]},{"type":"text","text":" when provisioning access to local resources."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"313258","self":"https://sonarsource.atlassian.net/rest/api/3/issue/313258","key":"SSF-929","fields":{"summary":"SOQ-17-001 WP1: Adding arbitrary project roles to scoped tokens (Low)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"During dynamic testing of the scoped token API endpoints, it was found that users are able to create scoped tokens with access to the "},{"type":"text","text":"admin, codeviewer, issueadmin, securityhotspotadmin","marks":[{"type":"em"}]},{"type":"text","text":", and "},{"type":"text","text":"user","marks":[{"type":"em"}]},{"type":"text","text":" roles. This can be achieved even though the scoped tokens should only be provisioned with the "},{"type":"text","text":"scan","marks":[{"type":"em"}]},{"type":"text","text":" role."}]},{"type":"paragraph","content":[{"type":"text","text":"The handling contradicts the SonarQube documentation, as well as "},{"type":"text","text":"admin","marks":[{"type":"em"}]},{"type":"text","text":" capabilities - as deployed in the SonarQube web UI. In the latter, creating tokens with these additional roles is not possible."}]},{"type":"paragraph","content":[{"type":"text","text":"By leveraging this flaw, users can create persistent project "},{"type":"text","text":"admin","marks":[{"type":"em"}]},{"type":"text","text":" access tokens. The corresponding "},{"type":"text","text":"/users/roles","marks":[{"type":"em"}]},{"type":"text","text":" endpoint also allows users to add roles and repositories to existing access tokens well after they have been created. This issue has been assigned a "},{"type":"text","text":"Low","marks":[{"type":"em"}]},{"type":"text","text":" severity because the finding does not constitute a privilege escalation path within the application."}]},{"type":"paragraph","content":[{"type":"text","text":"Steps to reproduce:","marks":[{"type":"strong"}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Create a scoped organization token and take note of the "},{"type":"text","text":"principalId","marks":[{"type":"em"}]},{"type":"text","text":" in the request."}]}]}]},{"type":"orderedList","attrs":{"order":2},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"After the token has been created, send another request to the "},{"type":"text","text":"/users/roles","marks":[{"type":"em"}]},{"type":"text","text":" endpoint with the "},{"type":"text","text":"resourceId","marks":[{"type":"em"}]},{"type":"text","text":" of a different repository and a different role:"}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"none"},"content":[{"type":"text","text":"POST /users/roles HTTP/2\nHost: api.sc-staging.io\n[...]\n{\n     \"principalId\":\"ba3ca485-fcea-4f4e-87c3-5c9b4b07f44d\",\n     \"principalType\":\"organizationToken\",\n     \"resourceType\":\"project\",\n     \"resourceId\":\"815a47ce-0647-4922-adcf-fe3f096c83da\",\n     \"role\":\"admin\"\n}"}]},{"type":"paragraph","content":[{"type":"text","text":"Response:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"HTTP/2 201 Created\n[...]\n{\n     \"principalId\":\"ba3ca485-fcea-4f4e-87c3-5c9b4b07f44d\",\n     \"principalType\":\"organizationToken\",\n     \"resourceId\":\"815a47ce-0647-4922-adcf-fe3f096c83da\",\n     \"resourceType\":\"project\",\n     \"role\":\"admin\",\n     \"id\":\"d80db3ec-4cc0-4d1b-9bc3-49b713cffdf0\"\n}"}]},{"type":"orderedList","attrs":{"order":3},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Observe that the role for accessing the new repository has been added and is also reflected in the web view. An additional entry can be seen as added to the web view. Note that the "},{"type":"text","text":"admin","marks":[{"type":"em"}]},{"type":"text","text":" role is only visible when introspecting the token via the "},{"type":"text","text":"/users/roles","marks":[{"type":"em"}]},{"type":"text","text":" endpoint."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Cure53 recommends restricting the roles that can be provisioned for scoped tokens in the "},{"type":"text","text":"/users/roles","marks":[{"type":"em"}]},{"type":"text","text":" endpoint. It should not be possible to add additional roles on other repositories after a token has already been created unless this functionality is transparently explained and understood by the customer."}]},{"type":"paragraph"},{"type":"heading","attrs":{"level":2},"content":[{"type":"text","text":"Notes"}]},{"type":"paragraph","content":[{"type":"text","text":"Currently we don’t officially support adding roles beyond project analysis, but as an admin, you can do it via API."}]},{"type":"paragraph","content":[{"type":"text","text":"The risk here is permissions creep as the admin can’t easily learn what scope was assigned to an SOT token."}]},{"type":"paragraph","content":[{"type":"text","text":"The possible approach to fix is to allowlist specific roles for SOT."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"304400","self":"https://sonarsource.atlassian.net/rest/api/3/issue/304400","key":"SSF-893","fields":{"summary":"SOQ-16-008 WP1: Open redirect via redirect_uri in Slack authenticator (Low)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"While investigating the SSO authentication protocols, Cure53 observed that the SlackOAuthCallback function assigns the redirect_uri parameter to window.location.href, which is attacker-controllable and hence induces an open redirect vector."}]},{"type":"paragraph","content":[{"type":"text","text":"Nonetheless, the site’s Content-Security-Policy (CSP) prevents inline script execution, therefore blocking exploitation via injected JavaScript URLs. Cure53 also evaluated whether the OAuth authorization code could be leaked to the attacker-controlled redirect URL, although the code is not included in the redirected request."}]},{"type":"paragraph","content":[{"type":"text","text":"Affected URL:","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"type":"text","text":"https://sc-staging.io/oauth-callback/slack?redirect_uri=https://attacker.com","marks":[{"type":"link","attrs":{"href":"https://sc-staging.io/oauth-callback/slack?redirect_uri=https://attacker.com"}}]}]},{"type":"paragraph","content":[{"type":"text","text":"The following code snippet outlines the root cause of the vulnerability."}]},{"type":"paragraph","content":[{"type":"text","text":"Affected file:","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"type":"text","text":"https://sc-staging.io/src/apps/oauth/SlackOAuthCallback.tsx","marks":[{"type":"link","attrs":{"href":"https://sc-staging.io/src/apps/oauth/SlackOAuthCallback.tsx"}}]}]},{"type":"paragraph","content":[{"type":"text","text":"Affected code:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"java"},"content":[{"type":"text","text":"export default function SlackOAuthCallback() {\nconst { currentUser, isLoggedIn } = useCurrentUser();\nconst [isStateInvalid, setIsStateInvalid] = useState(false);\nconst [searchParams] = useSearchParams();\nconst code = searchParams.get('code');\nconst redirectUri = searchParams.get('redirect_uri');\nconst state = searchParams.get('state');\nconst { isSuccess: isBindingSuccessful, mutate: createSlackBinding } =\nusePostUserBindingMutation();\nuseEffectOnce(() => {\nif (!isStringDefined(redirectUri) || code !== null || state !== null) {\nreturn;\n}\nconst stateToSave = uuidv4();\nsave(SLACK_OAUTH_STATE_LS_KEY, stateToSave);\nconst redirectUrl = new URL(redirectUri);\nredirectUrl.searchParams.set('state', stateToSave);\nwindow.location.href = redirectUrl.href;\n});"}]},{"type":"paragraph","content":[{"type":"text","text":"To resolve this vulnerability, Cure53 advises strictly validating the redirect_uri parameter on the server before it is returned to the client. Only pre-registered redirect URIs or a tight allowlist of trusted hosts and paths should be accepted. All incoming values containing non-https:// schemes, such as javascript:// or other unexpected characters, must be rejected."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"287270","self":"https://sonarsource.atlassian.net/rest/api/3/issue/287270","key":"SSF-854","fields":{"summary":"SOQ-15-005 WP3: Potential limited SSRF in download endpoint (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"While probing the SonarSource website’s /api/download endpoint, Cure53 discovered that the backend employs the asset parameter to fetch content from other servers. This implementation could facilitate Server-Side Request forgery (SSRF) in certain contexts."}]},{"type":"paragraph","content":[{"type":"text","text":"To ensure that the endpoint is not vulnerable to this risk, Cure53 requested the corresponding source code and determined that the hostname is verified correctly after the analysis. However, if any server within the allowed domains is prone to open redirects, an adversary could exploit this problem to launch an SSRF attack against the SonarSource website."}]},{"type":"paragraph","content":[{"type":"text","text":"Nevertheless, the SSRF is significantly limited since the MIME type of the response is checked."}]},{"type":"paragraph","content":[{"type":"text","text":"Affected code:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"const isAllowedDomain = (hostname: string): boolean =>\nhostname.endsWith('.kc-usercontent.com');\nconst handler = async ({ method, query }: GatsbyFunctionRequest, res:\nGatsbyFunctionResponse) => {\ntry {\n[...]\nconst decodedAssetURL = new URL(nodeAtob(query.asset));\nif (!isAllowedDomain(decodedAssetURL.hostname)) {\nthrow new Error('Invalid domain');\n}\nconst response = await fetch(decodedAssetURL.toString());\nconst statusCode = response.status;\nconst arrayBuffer = await response.arrayBuffer();\nconst filename = last(decodedAssetURL.pathname.split('/'));\nconst { mime } = (await fileTypeFromBuffer(arrayBuffer)) || {};\nif (!mime || !isAllowedContentType(mime)) {\nthrow new Error('Invalid file type');\n}"}]},{"type":"paragraph","content":[{"type":"text","text":"Steps to reproduce:","marks":[{"type":"strong"}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Assuming that a subdomain is susceptible to open redirects, craft the following URL to redirect to an internal server, which will enable SSRF attacks."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"URL:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"https://vulnerable-subdomain.kc-usercontent.com/redirect?url=https://domain.internal"}]},{"type":"orderedList","attrs":{"order":2},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Encode the URL using base64 and perform the following request."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"GET /api/download?asset=aHR0cHM6Ly92dWxuZXJhYmxlLXN1YmRvbWFpbi5rYy11c2VyY29udGVudC5jb20vcmVkaXJlY3Q/dXJsPWh0dHBzOi8vZG9tYWluLmludGVybmFs HTTP/2\nHost: www.sonarsource.com "}]},{"type":"orderedList","attrs":{"order":3},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"If an attacker successfully identifies and exploits a vulnerable subdomain, a successful request to domain.internal will be issued."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"To mitigate this issue and constrain the attack surface, Cure53 recommends restricting the redirect property of the fetch request. Ideally, redirects should be fully disabled. If this approach is infeasible, each redirect URL should be checked using the isAllowedDomain function."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"287268","self":"https://sonarsource.atlassian.net/rest/api/3/issue/287268","key":"SSF-853","fields":{"summary":"SOQ-15-004 WP3: Limited HTML injection in confirmation email page (Low)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"While examining the contact form functionality on the public-facing "},{"type":"inlineCard","attrs":{"url":"http://sonarsource.com"}},{"type":"text","text":"  website, Cure53 identified that the handling of user-supplied input in the confirmation email sent to users upon form submission is suboptimal under the current setup. Specifically, the first_name parameter in the JSON body submitted to the /api/submit-form endpoint is rendered without sufficient sanitization or escaping in the resulting HTML email."}]},{"type":"paragraph","content":[{"type":"text","text":"This type of HTML injection allows a malicious user to manipulate the content of confirmation emails sent by the system. As a result, deceptive emails can be crafted that appear legitimate, increasing the risk of phishing attacks. For example, attackers could embed harmful links or misleading content in the email body to trick recipients."}]},{"type":"paragraph","content":[{"type":"text","text":"Steps to reproduce:","marks":[{"type":"strong"}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Navigate to the SonarSource contact form via the following URL: "},{"type":"inlineCard","attrs":{"url":"https://www.sonarsource.com/company/contact/"}},{"type":"text","text":" ."}]}]}]},{"type":"orderedList","attrs":{"order":2},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Submit the form using the following HTML snippet in the first name field, either via the website or by sending a request to the /api/submit-form endpoint."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"POST /api/submit-form HTTP/2\nHost: http://www.sonarsource.com \nReferer: https://www.sonarsource.com/company/contact/ \nContent-Type: application/json\nContent-Length: 297\n{\n\"first_name\": \"<a href='https://cure53.de '>Cure53</a>\",\n\"last_name\":\"Test\",\n\"company\":\"Cure53\",\n\"email\":\"victor+test@rs.cure53.de\",\n\"Phone\":\"\",\n\"country\":\"Austria\",\n\"Message\": hello\",\n\"Scope\":\"contact\",\n\"Form_type\":\"contact\",\n\"Campaign_id\":\"\",\n\"Marketing_opt_out\":true,\n\"Request_type\":null,\n\"Cq_req_id\":\"\"\n}"}]},{"type":"paragraph","content":[{"type":"text","text":"Response:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"HTTP/2 200 OK\nContent-Type: application/json\nServer: Netlify\n{\n\"success\":true\n}"}]},{"type":"orderedList","attrs":{"order":3},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Open the confirmation email in a mail client."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"View the email's page source or inspect the rendered content."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Observe that the submitted HTML input is reflected unsanitized in the email body, resulting in HTML injection."}]}]}]},{"type":"codeBlock","content":[{"type":"text","text":"<a href=\"https://cure53.de \" target=\"_blank\" data-saferedirecturl=\"https://www.google.com/url?q=https://cure53.de>Cure53</a>"}]},{"type":"paragraph","content":[{"type":"text","text":"To mitigate this vulnerability, Cure53 recommends enforcing strict input sanitization and escaping of all user-supplied data. This is particularly important when the data is passed to downstream systems, which may not be resilient to malformed or malicious input."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"281172","self":"https://sonarsource.atlassian.net/rest/api/3/issue/281172","key":"SSF-841","fields":{"summary":"CWE-693 found in 2025.2","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"Per the customer, they have been successful in exploiting this vulnerability:"}]},{"type":"blockquote","content":[{"type":"paragraph","content":[{"type":"text","text":"During our penetration test on Sonarqube (on premise), one finding was identified: a Protection Mechanism Failure. This finding concerns an incomplete Content Security Policy (CSP), which results in a missing key defense-in-depth measure that increases the risk of cross-site scripting abuse. "}]},{"type":"paragraph","content":[{"type":"text","text":"CVSS Score: 0.0"},{"type":"hardBreak"},{"type":"text","text":"CWE Reference: CWE-693"}]},{"type":"paragraph","content":[{"type":"text","text":"SonarQube does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product."}]},{"type":"paragraph","content":[{"type":"text","text":"The application's Content Security Policy (CSP) does not restrict the use of unsafe-inline, which may permit the execution of arbitrary styles. "}]},{"type":"paragraph","content":[{"type":"text","text":"Request: "},{"type":"hardBreak"},{"type":"text","text":"GET /projects HTTP/1.1"},{"type":"hardBreak"},{"type":"text","text":" Host: sonarqube.dev.services.corp"},{"type":"hardBreak"},{"type":"text","text":" [..] "}]},{"type":"paragraph","content":[{"type":"text","text":"Response: "},{"type":"hardBreak"},{"type":"text","text":"HTTP/1.1 200"},{"type":"hardBreak"},{"type":"text","text":" x-frame-options: SAMEORIGIN"},{"type":"hardBreak"},{"type":"text","text":"strict-transport-security: max-age=31536000; includeSubDomains; "},{"type":"hardBreak"},{"type":"text","text":"x-xss-protection: 0"},{"type":"hardBreak"},{"type":"text","text":"x-content-type-options: nosniff"},{"type":"hardBreak"},{"type":"text","text":"content-security-policy: default-src 'self'; base-uri 'none'; connect-src 'self' http: https:; font-src 'self' data:; img-src * data: blob:; object-src 'none'; script-src 'self' 'sha256-D1jaqcDDM2TM2STrzE42NNqyKR9PlptcHDe6tyaBcuM='; style-src 'self' 'unsafe-inline'; worker-src 'none' "},{"type":"hardBreak"},{"type":"text","text":"cache-control: no-cache, no-store, must-revalidate"},{"type":"hardBreak"},{"type":"text","text":"vary: accept-encoding"},{"type":"hardBreak"},{"type":"text","text":"content-type: text/html;charset=utf-8"},{"type":"hardBreak"},{"type":"text","text":"date: Mon, 30 Jun 2025 14:26:31 GMT "},{"type":"hardBreak"},{"type":"text","text":"Content-Length: 1698"}]},{"type":"paragraph","content":[{"type":"text","text":"Question: Are you aware of this vulnerability and are there any plans to mitigate?","marks":[{"type":"strong"}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Ref: "},{"type":"text","text":"https://sonarsourcehelp.zendesk.com/agent/tickets/49655","marks":[{"type":"link","attrs":{"href":"https://sonarsourcehelp.zendesk.com/agent/tickets/49655"}}]}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"277143","self":"https://sonarsource.atlassian.net/rest/api/3/issue/277143","key":"SSF-829","fields":{"summary":"Admin user data left on employee devices","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"On the macOS test laptop, it was observed that the user 'master.admin' used for configuring the system had used the Island browser and that profile data was not cleaned before delivering the device to the user."}]},{"type":"paragraph","content":[{"type":"text","text":"The data can be found in the following location:"}]},{"type":"codeBlock","content":[{"type":"text","text":"/Users/master.admin/Library/Application Support/Island/Default"}]},{"type":"paragraph","content":[{"type":"text","text":"This finding exposes potentially confidential data of the administrator inside the database files:"}]},{"type":"mediaSingle","attrs":{"layout":"align-start"},"content":[{"type":"media","attrs":{"type":"file","id":"c8fd65b0-fb29-4bcc-9fe2-e1a22ace3102","alt":"image-20250708-110317.png","collection":"","height":122,"width":696}}]},{"type":"paragraph","content":[{"type":"text","text":"Figure 11 - History of the administrator's browser.","marks":[{"type":"strong"}]}]},{"type":"mediaSingle","attrs":{"layout":"align-start"},"content":[{"type":"media","attrs":{"type":"file","id":"fd5e8e45-4250-4689-9fd2-2e70655680b6","alt":"image-20250708-110334.png","collection":"","height":129,"width":699}}]},{"type":"paragraph","content":[{"type":"text","text":"Figure 12 - Email address of the administrator inside 'Login Data' database.","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"type":"text","text":"The cookies, however, are encrypted inside the 'Cookies' database and can only be decrypted using the key stored inside the user's OS keychain, which needs to be unlocked by authenticating with the legitimate user password. As long as an attacker cannot recover this password, the cookies should remain secure."}]},{"type":"mediaSingle","attrs":{"layout":"align-start"},"content":[{"type":"media","attrs":{"type":"file","id":"c994b6c0-1f31-4554-8038-ae84499e36ec","alt":"image-20250708-110417.png","collection":"","height":206,"width":692}}]},{"type":"paragraph","content":[{"type":"text","text":"Figure 13 - Encrypted cookies values of master.admin’s browser","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"type":"text","text":"In general, the presence of the admin account on a system where users have elevated privileges can be risky, as it increases the attack surface."}]},{"type":"paragraph","content":[{"type":"text","text":"For instance, it may leak the user's password digest, which can be cracked if it is not sufficiently strong. Additionally, it could be targeted during social engineering scenarios, for instance by modifying the files executed during the administrator's session and requesting the helpdesk to make some configuration to the system, thereby encouraging them to connect with the helpdesk account."}]},{"type":"heading","attrs":{"level":2},"content":[{"type":"text","text":"Recommendation(s)","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"type":"text","text":"To prevent access to unexpected data used by the administrator accounts and mitigate potential attacks, it is recommended to remove the local administrator accounts after the initial setup."}]},{"type":"paragraph","content":[{"type":"text","text":"If the first suggestion is not feasible, systematically removing the Island browser data and all potential temporary configuration files from the helpdesk account would also help preventing potential leaks."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"270146","self":"https://sonarsource.atlassian.net/rest/api/3/issue/270146","key":"SSF-812","fields":{"summary":"SOQ-13-006 WP1: API path traversal on SonarQube Server connection test (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"While checking the various connection configurations available, the discovery was made that the SonarQube Server connection check is prone to a path traversal issue. When a URL is entered into the “Server URL” field when configuring SonarQube Server connections, a request is sent to the path /api/system/status in order to check if the server is running the SonarQube Server application. However, since additional characters are allowed - e.g. \"../”, \"?\", and \"#\" - the path can be traversed up and down, or moved to the parameter or fragment URL parts, in order to query other paths. This is demonstrated in the following example:"}]},{"type":"paragraph","content":[{"type":"text","text":"Sample URL:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"https://h0i29bcohxnlpc78xfpkfpxwbnhe55tu.oastify.com/arbitrary/path?"}]},{"type":"paragraph","content":[{"type":"text","text":"Resulting request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"GET /arbitrary/path?/api/system/status HTTP/1.1\nHost: h0i29bcohxnlpc78xfpkfpxwbnhe55tu.oastify.com\nConnection: keep-alive\nUser-Agent: SonarQube for IDE (SonarLint) - Visual Studio Code 4.23.0+77726 - 1.100.2"}]},{"type":"paragraph","content":[{"type":"text","text":"Although this issue could be useful to an attacker in conjunction with other vulnerabilities, no exploitation could be found for this specific scenario, and the ticket was therefore included here for informational purposes. Nevertheless, in order to harden the application against such issues, Cure53 recommends the introduction of additional validation. It is advised to ensure that all user input is optimally sanitized and validated before being used in a URL path. This should include checking for malicious characters that could be used to traverse the structure of the path, such as \"../\", \"?\", or \"#\"."}]},{"type":"paragraph","content":[{"type":"text","text":"It is additionally advised that the implementation could be adapted in order to allow only domain names, by accepting solely characters aligning with (e.g.) "},{"type":"text","text":"RFC 10352","marks":[{"type":"link","attrs":{"href":"https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.1"}}]},{"type":"text","text":". This would further reduce the potential for exploitation."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"267296","self":"https://sonarsource.atlassian.net/rest/api/3/issue/267296","key":"SSF-804","fields":{"summary":"SOQ-13-004 WP1: Lack of access restrictions via SonarQube Cloud token (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"The current implementation of the MCP server utilizes SonarQube Cloud tokens, which inherently grant access to all data associated with the corresponding user account. This includes all assigned projects, regardless of whether those resources are actively used by the MCP API interface. It is advised that this broad access could unintentionally expose sensitive project information, especially when AI agents connected to the local MCP environment should only have access to specific projects."}]},{"type":"paragraph","content":[{"type":"text","text":"An example of this risk is the search_sonar_issues_in_projects tool, which can potentially enumerate and access issues across all projects available to the authenticated token. Without proper access scoping or filtering, this could result in the unintentional leakage of confidential project details."}]},{"type":"paragraph","content":[{"type":"text","text":"To harden against potential misuse of this issue, it is recommended to use project-level tokens that restrict access exclusively to the intended projects."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"238556","self":"https://sonarsource.atlassian.net/rest/api/3/issue/238556","key":"SSF-749","fields":{"summary":"Vulnerability Report 01: Absence of MTA-STS Record Potentially Exposing Email Communications","description":{"type":"doc","version":1,"content":[{"type":"rule"},{"type":"paragraph","content":[{"type":"text","text":"Hi team,"}]},{"type":"paragraph","content":[{"type":"text","text":"This report highlights an issue observed within the platform, detailing its impact and potential resolution."}]},{"type":"paragraph","content":[{"type":"text","text":"Vulnerability Report 01: Absence of MTA-STS Record Potentially Exposing Email Communications.","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"type":"text","text":"Vulnerable domain: ","marks":[{"type":"strong"}]},{"type":"text","text":"sonarsource.com","marks":[{"type":"link","attrs":{"href":"http://sonarsource.com/"}}]}]},{"type":"paragraph","content":[{"type":"text","text":"Description:","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"type":"text","text":"Upon examining the DNS (Domain Name System) record, I realized that the MTA-STS record is missing. The MTA-STS mechanism is designed to enforce secure email communication by requiring the use of TLS (Transport Layer Security) encryption. However, in this case, the absence of the MTA-STS record exposes the email infrastructure to potential security vulnerabilities."}]},{"type":"paragraph","content":[{"type":"text","text":"Expected Behavior:","marks":[{"type":"strong"}]},{"type":"hardBreak"},{"type":"text","text":"The MTA-STS record should be correctly configured and published in the DNS records for the domain: "},{"type":"text","text":"sonarsource.com","marks":[{"type":"link","attrs":{"href":"http://sonarsource.com/"}}]},{"type":"hardBreak"},{"type":"text","text":" It is essential for secure email communication and enforcing TLS encryption for all incoming and outgoing email traffic."}]},{"type":"paragraph","content":[{"type":"text","text":"Proof Of Concept:","marks":[{"type":"strong"}]}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"type":"external","url":"https://mail.google.com/mail/u/0?ui=2&ik=9f2af0b783&attid=0.1&permmsgid=msg-f:1825264796946203924&th=1954a4a983010514&view=fimg&fur=ip&permmsgid=msg-f:1825264796946203924&sz=s0-l75-ft&attbid=ANGjdJ-Gw5O_RtdLwqLOfE6RajAFFcMIINUnrsvhlVmcpJxZyFL953IWgRcPXV4LF_P8rApi_CjYTsyJtHprcBbChvRvLHoOxRZVdVgLNoi6c8OE84H3yLHcTyPByMw&disp=emb&realattid=ii_m7o4ni360&zw","alt":"image.png","height":443,"width":1410}}]},{"type":"paragraph","content":[{"type":"text","text":"Impact:","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Email Security Risk:","marks":[{"type":"strong"}]},{"type":"text","text":" Without an MTA-STS record, the domain is vulnerable to man-in-the-middle (MITM) attacks, where email traffic can be intercepted or altered in transit."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Email Deliverability Issues:","marks":[{"type":"strong"}]},{"type":"text","text":" Some mail servers may reject or mark emails as suspicious if they cannot verify the secure connection using MTA-STS."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Non-compliance:","marks":[{"type":"strong"}]},{"type":"text","text":" Domains without MTA-STS records may not comply with modern email security best practices, which could affect the trustworthiness of the domain."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Mitigation:","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Please make","marks":[{"type":"strong"}]},{"type":"text","text":" sure the DNS configuration for the domain includes the MTA-STS policy. This can be done by adding a DNS TXT record for the domain (e.g., "},{"type":"text","text":"_mta-sts.domain.com","marks":[{"type":"code"}]},{"type":"text","text":"), specifying the MTA-STS policy."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Enable HTTPS for MTA-STS Reports:","marks":[{"type":"strong"}]},{"type":"text","text":" Set up a reporting URL for MTA-STS to receive reports about issues with MTA-STS validation."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Monitor Email Security:","marks":[{"type":"strong"}]},{"type":"text","text":" Regularly check the status of the MTA-STS record to ensure it is configured correctly and functioning as intended."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"DNS Propagation:","marks":[{"type":"strong"}]},{"type":"text","text":" After setting up the MTA-STS record, verify that DNS changes have been propagated and are accessible from external sources."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Additional Notes:","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"MTA-STS provides an additional layer of email security by enforcing TLS encryption between mail servers. It is highly recommended for domains handling sensitive communications."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"I hope this issue will be taken care of quickly, and I would appreciate it if you could let me know the compensation you are offering for this security disclosure."}]},{"type":"paragraph","content":[{"type":"text","text":"Thank you."}]},{"type":"rule"}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"236932","self":"https://sonarsource.atlassian.net/rest/api/3/issue/236932","key":"SSF-740","fields":{"summary":"SOQ-11-004 WP1: Possible side effects of non-standard HTTP headers (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"While testing the SonarQube Cloud API, Cure53 discovered that specific components of the Sonar platform accept non-standard HTTP headers, causing unexpected behavior. Specifically, the X-Http-Method-Override header overrides the request method, and the X-Amzn-Requestid header is directly reflected in the server’s response."}]},{"type":"paragraph","content":[{"type":"text","text":"The following request and response pair show how a GET request to /billing/plans transforms into an OPTIONS request when X-Http-Method-Override: OPTIONS is present and how X-Amzn-Requestid is echoed in the response."}]},{"type":"paragraph","content":[{"type":"text","text":"Request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"GET /billing/plans?product=SonarCloud HTTP/2\nHost: api.sc-staging.io\nX-Http-Method-Override: OPTIONS\nX-Amzn-Requestid: Cure53\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36"}]},{"type":"paragraph","content":[{"type":"text","text":"Response:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"HTTP/2 200 OK\nDate: Wed, 12 Feb 2025 09:55:41 GMT\nContent-Type: application/json\nContent-Length: 0\nServer: Server\nX-Amzn-Requestid: Cure53\nAccess-Control-Allow-Origin: https://sc-staging.io \nAccess-Control-Allow-Headers: Content-Type,Authorization,Cookie,X-Xsrf-Token\nX-Amz-Apigw-Id: F3Z0sF69liAFdsg=\nAccess-Control-Allow-Methods: GET, OPTIONS\nX-Amzn-Trace-Id: Root=1-67ac701d-52cde67c18355c603017c9bf\nAccess-Control-Allow-Credentials: true"}]},{"type":"paragraph","content":[{"type":"text","text":"Allowing non-standard HTTP headers such as X-Http-Method-Override to override request methods introduces unpredictability in server logic and increases avenues that malicious actors can explore for attack scenarios. This setup could lead to vulnerabilities, such as web cache poisoning, where an attacker manipulates cache to store illegitimate or harmful responses under valid request identifiers."}]},{"type":"paragraph","content":[{"type":"text","text":"To eliminate the associated risks, Cure53 suggests evaluating the use-case of the HTTP headers discussed above. These should either be removed from incoming requests at the Sonar network perimeter, or the SonarSource team must ensure that all systems employed within the Sonar platform ignore their presence in requests."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"236931","self":"https://sonarsource.atlassian.net/rest/api/3/issue/236931","key":"SSF-739","fields":{"summary":"SOQ-11-003 WP1: Unfixed miscellaneous issues from previous audits (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"Cure53 found that previously reported issues from the test iterations tracked as SOC-10 and SOC-12 remained unaddressed. This is being pointed out especially since these flaws could be remediated with minor efforts, i.e., through simple code tweaks."}]},{"type":"paragraph","content":[{"type":"text","text":"The following list summarizes the unfixed issues, along with their severity scores. These have been confirmed to persist in the application parts in scope."}]},{"type":"paragraph","content":[{"type":"text","text":"Unresolved issues:","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SOC-10-001 WP1: Information disclosure via error messages (Low)"}]}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SOC-10-004 WP1: Enumeration of organization IDs via enterprises endpoint (Info)"}]}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SOC-10-007 WP1: Inadequate session cookie SameSite flag settings (Low)"}]}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SOC-12-004 WP1: Ineffective CSP on staging and squad5 environments (Low)"}]}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SOC-12-009 WP1: Lack of rate-limiting allows coupon brute-forcing (Info)"}]}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"SOC-12-008 WP1: 2-Click open redirect via returnUrl in self-manage-session (Low)"}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Clarification note","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"type":"text","text":"The issues SOC-12-009 and SOC-12-008 now affect the host "},{"type":"inlineCard","attrs":{"url":"https://sc-staging.io"}},{"type":"text","text":" . In the previous assessment, a different host was impacted, likely because the Stripe-related features were provided through a different URL or endpoint. However, the underlying feature and associated weakness remain unchanged. Furthermore, please note that Cure53 did not retest SOC-12-004 against the squad5 environment since it was not included in this iteration's scope."}]},{"type":"paragraph","content":[{"type":"text","text":"It is recommended to introduce the suggested remediations and eradicate all past issues, as advised in the relevant reports. Resolution of the unfixed issues would provide additional security features, further hardening the SonarQube platform."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"236927","self":"https://sonarsource.atlassian.net/rest/api/3/issue/236927","key":"SSF-737","fields":{"summary":"SOQ-11-007 WP1: IP address leak via malicious avatar URL (Low)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"During the assessment, Cure53 identified a security risk related to avatar or profile pictures, which can be configured using a URL that points to an external image. This URL is embedded within the web application, causing the image to be loaded from an externally available source each time it is accessed, also when the actions are performed by other users. As a result, the private IP addresses of users who load the avatar of a specific user or organization can be exposed."}]},{"type":"paragraph","content":[{"type":"text","text":"Additionally, this vulnerability is particularly interesting because, at the time of testing, an invited member was not required to confirm their invitation in the context of an organization. This means that an adversary could invite any Sonar user from the instance to an organization while setting a malicious avatar URL. When the invited user accesses the organization overview at "},{"type":"inlineCard","attrs":{"url":"https://sc-staging.io/account/organizations"}},{"type":"text","text":" , their private IP address is leaked. The only prerequisite for this attack is that the invited user loads the overview page for organizations."}]},{"type":"paragraph","content":[{"type":"text","text":"Steps to reproduce:","marks":[{"type":"strong"}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Create a new organization as shown in the request below."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"POST /api/organizations/create HTTP/1.1\nHost: http://sc-staging.io \n[...]\navatar=https%3A%2F%2Fxbc2gd7sro24f73kbuj19d7ey54ws1gq.oastify.com&description=test+org+for+testing+IP+leak&key=cure53-test-9&name=cure53-test-9&url=https%3A%2F%2Fcure53.de"}]},{"type":"orderedList","attrs":{"order":2},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Invite a new user to the organization (see request below)"}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"POST /api/organizations/add_member HTTP/1.1\nHost: http://sc-staging.io \n[...]\n\nlogin=SimonRSC53-u3Nsx%40github&organization=cure53-test-9"}]},{"type":"orderedList","attrs":{"order":3},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Wait until the invited user accesses the organizations overview page on https://sc-staging.io/account/organizations or at a similar location. The invited user requests the avatar URL, thus leaking their IP."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Cure53 advises implementing restrictions on external avatar URLs to prevent IP leakage. Another effective mitigation would be to cache or store the avatar images on SonarQube Cloud servers and serve them from a URL controlled by SonarQube Cloud. Relying on externally hosted images is ill-advised since these could be controlled by an attacker. Additionally, requiring explicit confirmation for organization invitations would reduce the overall attack surface."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"236925","self":"https://sonarsource.atlassian.net/rest/api/3/issue/236925","key":"SSF-735","fields":{"summary":"SOQ-11-005 WP1: API bypass of free plan limitations (Medium)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"While assessing the limitations of SonarQube’s free plan, Cure53 found that some restrictions related to paid features are only enforced on the client, i.e., the web UI. Directly issuing the HTTP requests to the respective API endpoints allowed bypassing of these constraints."}]},{"type":"paragraph","content":[{"type":"text","text":"The API call below demonstrates how a SonarQube Cloud user is added to the cure53-test-3 organization that is on the free plan. Repeatedly performing this API request with different SonarQube users allowed going over the free plan’s five-member limit."}]},{"type":"paragraph","content":[{"type":"text","text":"Request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"POST /api/organizations/add_member HTTP/2\nHost: http://sc-staging.io \nCookie: JWT-SESSION=[REDACTED]\nX-Xsrf-Token: lja2jn173ragv7bh5q9jh69867\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 53\nlogin=VCure53-BadhO@github&organization=cure53-test-3"}]},{"type":"paragraph","content":[{"type":"text","text":"Response:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"HTTP/2 200 OK\nContent-Type: application/json\nDate: Wed, 12 Feb 2025 14:12:58 GMT\nX-Sonar-Server-Time: 1739369578359\nSonar-Version: 10.14.0.2599\n[...]\n{\n\"user\": {\n\"login\": \"VCure53-BadhO@github\",\n\"name\": \"VCure53\",\n\"avatar\": \"7bd56a27a01fd7582e765a7159a8fbcb\",\n\"groupCount\": 1\n}\n}"}]},{"type":"paragraph","content":[{"type":"text","text":"With six users added to the organization, the below request and response show that the limit was effectively circumvented."}]},{"type":"paragraph","content":[{"type":"text","text":"Request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"GET /api/organizations/search_members?organization=cure53-test-3\nHost: http://sc-staging.io\nCookie: JWT-SESSION=[REDACTED]"}]},{"type":"paragraph","content":[{"type":"text","text":"Response:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"HTTP/2 200 OK\nContent-Type: application/json\nDate: Wed, 12 Feb 2025 14:20:55 GMT\nX-Sonar-Server-Time: 1739370055139\nSonar-Version: 10.14.0.2599\n[...]\n{\n\"paging\": {\n\"pageIndex\": 1,\n\"pageSize\": 50,\n\"total\": 6\n},\n\"users\": [\n{\n\"login\": \"cure53-dominik-i2uXw@github\",\n\"name\": \"cure53-dominik\",\n\"avatar\": \"36644d2db1800679fcc4d1143ca8e01b\",\n\"groupCount\": 3,\n\"isOrgAdmin\": true\n},\n{\n\"login\": \"davidwcure53-UE8yC@github\",\n\"name\": \"davidwcure53\",\n\"avatar\": \"4ba1edbe718a0c9eedb607c6da5c2503\",\n\"groupCount\": 2,\n\"isOrgAdmin\": true\n},\n{\n\"login\": \"quentin-chevrin-sonarsource@github\",\n\"name\": \"Quentin Chevrin\",\n\"avatar\": \"97fc9693c0ffca40a4f9c4e34f19da64\",\n\"groupCount\": 1,\n\"isOrgAdmin\": false\n},\n{\n\"login\": \"SimonRSC53-u3Nsx@github\",\n\"name\": \"SimonRSC53\",\n\"avatar\": \"c252b0a7555344bd4491429de3c4742f\",\n\"groupCount\": 1,\n\"isOrgAdmin\": false\n},\n{\n\"login\": \"VCure53-BadhO@github\",\n\"name\": \"VCure53\",\n\"avatar\": \"7bd56a27a01fd7582e765a7159a8fbcb\",\n\"groupCount\": 1,\n\"isOrgAdmin\": false\n},\n{\n\"login\": \"c53-rootsys-ay1lR@github\",\n\"name\": \"c53-rootsys\",\n\"avatar\": \"202c45e0221224e0e7a4a063c84382df\",\n\"groupCount\": 1,\n\"isOrgAdmin\": false\n}\n]\n}"}]},{"type":"paragraph","content":[{"type":"text","text":"Besides the limited number of members per organization, Cure53 identified additional features that are typically reserved for paid plans but could still be utilized directly through the SonarQube API. These are listed next."}]},{"type":"paragraph","content":[{"type":"text","text":"Other affected endpoints:","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"POST /api/webhooks/create"}]}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"POST /api/user_groups/create"}]}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"POST /api/organizations/add_member"}]}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"POST /api/permissions/add_group"}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"To mitigate, Cure53 recommends not only enforcing the paid plan’s restrictions on the client-side but also on the API, i.e., the server-side. Please note that the affected endpoints listed in this ticket do not intend to offer a complete list of the affected items. The SonarSource team should ideally evaluate all API routes for unauthorized access."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"205175","self":"https://sonarsource.atlassian.net/rest/api/3/issue/205175","key":"SSF-676","fields":{"summary":"SOC-12-009 WP1: Lack of rate-limiting allows coupon brute-forcing (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"During the evaluation of the payment process, Cure53 observed that coupon codes could be exploited to gain certain benefits. Each coupon code comprises 10 alphanumeric characters, with the letters limited to uppercase. This means that attackers must send 36^10 requests in order to attempt all possible combinations. Since no rate-limiting mechanism was detected, and the attack can be executed without authentication, this brute-force approach is considered feasible. However, the likelihood of getting a valid match can be considered to be low, and the issue was therefore added to the Miscellaneous Issues section."}]},{"type":"paragraph","content":[{"type":"text","text":"Request:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"GET /api/billing/show_coupon?coupon=HUUHPEQ79P HTTP/2\nHost: http://squad-5-core.sc-dev.io "}]},{"type":"paragraph","content":[{"type":"text","text":"Response:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"HTTP/2 400 Bad Request\n[...]\n{\"errors\":[{\"msg\":\"Coupon is invalid\"}]}"}]},{"type":"paragraph","content":[{"type":"text","text":"In order to mitigate this issue, Cure53 recommends implementing a strict rate-limiting mechanism in the coupon code validation process, to prevent brute-force attacks. Additionally, introducing CAPTCHA challenges after a few failed attempts would further protect the system."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"194659","self":"https://sonarsource.atlassian.net/rest/api/3/issue/194659","key":"SSF-628","fields":{"summary":"SOC-11-003 WP1: Overly permissive AWS IAM instance policies (Low)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"While inspecting the AWS EC2 instances, it was noticed that the current AWS IAM instance policies were overly permissive, granting instances broader access to AWS resources than necessary. This poses a security risk, as it increases the attack surface, allowing potential attackers to exploit these permissions to access sensitive data or perform unauthorized actions within the AWS environment, once an initial attack has occurred and a machine is compromised."}]},{"type":"paragraph","content":[{"type":"text","text":"Affected tenant:","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"type":"text","text":"sonarcloud-prod","marks":[{"type":"em"}]}]},{"type":"paragraph","content":[{"type":"text","text":"Affected host:","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"type":"text","text":"I-0081f48775cb968c7","marks":[{"type":"em"}]}]},{"type":"paragraph","content":[{"type":"text","text":"Affected instance role:","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"type":"text","text":"Core-Bastion-Service-Prod-BastionHostRole-1QHHHVFKVD564","marks":[{"type":"em"}]}]},{"type":"paragraph","content":[{"type":"text","text":"Affected config:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"\"Effect\": \"Allow\",\n\"Action\": [\n\"s3:GetBucketLocation\",\n\"s3:PutObject\",\n\"s3:GetObject\",\n\"s3:GetEncryptionConfiguration\",\n\"s3:AbortMultipartUpload\",\n\"s3:ListMultipartUploadParts\",\n\"s3:ListBucket\",\n\"s3:ListBucketMultipartUploads\"\n],"}]},{"type":"paragraph","content":[{"type":"text","text":"It is recommended that all IAM instance policies be reviewed and audited to ensure that permissions are limited to only what is required for the specific tasks or roles of the instances. It is advisable to implement the principle of least privilege, by creating more granular policies, and regularly monitoring for any unauthorized permission changes or access patterns."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"181638","self":"https://sonarsource.atlassian.net/rest/api/3/issue/181638","key":"SSF-592","fields":{"summary":"SOC-10-005 WP1: Lack of cross-origin-related HTTP security headers (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"The discovery was made that the SonarCloud platform lacks several of the newer2 cross- origin infoleak-related HTTP security headers in their responses. This does not directly produce a security risk, but it may prove useful toward exploiting other areas of weakness with greater ease, including issues relating to Spectre attacks3. The following list enumerates the headers that require reviewing and implementing in order to prevent associated vulnerabilities."}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Cross-Origin Resource Policy (CORP) ","marks":[{"type":"strong"}]},{"type":"text","text":"and "},{"type":"text","text":"Fetch Metadata Request ","marks":[{"type":"em"}]},{"type":"text","text":"headers allow developers to control which sites can embed their resources, such as images or scripts. They prevent data from being delivered to an attacker-controlled browser- renderer process, as seen in "},{"type":"text","text":"resourcepolicy.fyi","marks":[{"type":"link","attrs":{"href":"https://resourcepolicy.fyi/"}},{"type":"em"}]},{"type":"text","text":" ","marks":[{"type":"em"}]},{"type":"text","text":"and "},{"type":"text","text":"web.dev/fetch-metadata","marks":[{"type":"link","attrs":{"href":"http://web.dev/fetch-metadata"}},{"type":"em"}]},{"type":"text","text":"."}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Cross-Origin Opener Policy (COOP) ","marks":[{"type":"strong"}]},{"type":"text","text":"grants developers the ability to ensure that their application window will not receive unexpected interactions from other websites, allowing the browser to isolate it in its own process. This incorporates important process-level protection, particularly in browsers that do not enable full Site Isolation - see "},{"type":"text","text":"web.dev/coop-coep","marks":[{"type":"link","attrs":{"href":"http://web.dev/coop-coep"}},{"type":"em"}]},{"type":"text","text":".","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Cross-Origin Embedder Policy (COEP) ","marks":[{"type":"strong"}]},{"type":"text","text":"ensures that any authenticated resources requested by the application have explicitly opted-in to passing into a load state. In the current climate, to guarantee process-level isolation for highly sensitive applications in Chrome or Firefox, applications must enable both COEP and COOP - see "},{"type":"text","text":"web.dev/coop-coep","marks":[{"type":"link","attrs":{"href":"http://web.dev/coop-coep"}},{"type":"em"}]},{"type":"text","text":".","marks":[{"type":"em"}]}]},{"type":"paragraph","content":[{"type":"text","text":"Generally speaking, the absence of cross-origin security headers should be considered a negative practice that could be avoided in times when attacks such as Spectre are known to be easily practicable and exploit code is publicly available."}]},{"type":"paragraph","content":[{"type":"text","text":"To mitigate this issue, Cure53 recommends inserting the aforementioned headers into every relevant server response"},{"type":"text","text":". ","marks":[{"type":"em"}]},{"type":"text","text":"Resources with detailed information regarding headers of this nature are available online, explaining both header setup best practices and the potential consequences of bypassing setup entirely5."}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"Ref:"}]},{"type":"paragraph","content":[{"type":"text","text":"2 "},{"type":"inlineCard","attrs":{"url":"https://security.googleblog.com/2020/07/towards-native-security-defenses-for.html"}},{"type":"text","text":" "}]},{"type":"paragraph","content":[{"type":"text","text":"3 "},{"type":"inlineCard","attrs":{"url":"https://meltdownattack.com/"}},{"type":"text","text":" "},{"type":"hardBreak"},{"type":"text","text":"4 "},{"type":"inlineCard","attrs":{"url":"https://scotthelme.co.uk/coop-and-coep/"}},{"type":"text","text":" "},{"type":"hardBreak"},{"type":"text","text":"5 "},{"type":"inlineCard","attrs":{"url":"https://web.dev/coop-coep/"}},{"type":"text","text":" "}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"170140","self":"https://sonarsource.atlassian.net/rest/api/3/issue/170140","key":"SSF-562","fields":{"summary":"SOC-09-004: Too permissive CSP renders protection ineffective (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"SOC-09-004 WP1: Overly permissive CSP renders protection ineffective ","marks":[{"type":"strong"}]},{"type":"text","text":"(Info)","marks":[{"type":"em"}]}]},{"type":"paragraph","content":[{"type":"text","text":"In order to mitigate against potential XSS or other client-side attacks, the Content Security Policy (CSP) was invented as a framework to provide robust capabilities in limiting content activities. This assurance imbues the drawback that the limitations must be appropriately strict to provide ample protection. During testing and following discussions with the client, it became apparent that the SonarSource team intended to ship a CSP. However, the implementation’s current policy was deemed ineffective. Thus, this ticket represents a reference point for hardening the deployed CSP, categorized as a miscellaneous issue with purely informational content."}]},{"type":"paragraph","content":[{"type":"text","text":"Deployed CSP:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"Content-Security-Policy-Report-Only: default-src 'self';script-src 'self'\n'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com\nhttps://www.googletagmanager.com https://tagmanager.google.com\n       https://static.cdn.prismic.io\n       https://bitbucket.org/atlassian-connect/all.js https://dev.azure.com\n       js.braintreegateway.com assets.braintreegateway.com www.paypalobjects.com\n       c.paypal.com https://static.userback.io;style-src 'self' 'unsafe-inline'\n       https://tagmanager.google.com https://fonts.googleapis.com\n       https://static.cdn.prismic.io https://static.userback.io;img-src 'self'\n       https: assets.braintreegateway.com checkout.paypal.com data:;connect-src\n       'self' https://sonarcloud.io *.sc-dev.io https://*.google-analytics.com\n       https://static.cdn.prismic.io https://*.sentry.io\n       https://*.ingest.sentry.io https://sonarsource.cdn.prismic.io\n       https://static.sonarcloud.io wss://notifications.sonarcloud.io\n       https://d301sr5gafysq2.cloudfront.net api.sandbox.braintreegateway.com\n       api.braintreegateway.com client-analytics.sandbox.braintreegateway.com\n       client-analytics.braintreegateway.com *.braintree-api.com\n       https://api.userback.io https://secure.gravatar.com\n       https://api.bitbucket.org;object-src 'none';media-src 'none';child-src\n       'self' assets.braintreegateway.com c.paypal.com;frame-src 'self'\n       assets.braintreegateway.com c.paypal.com *.cardinalcommerce.com\n       https://eu.3ds.acssecure.com https://*.americanexpress.com\n       https://acs.capitalone.com;font-src 'self' https://fonts.gstatic.com\n       https://static.userback.io/fonts;"}]},{"type":"paragraph"},{"type":"paragraph","content":[{"type":"text","text":"Note this is only a "},{"type":"text","text":"report-only ","marks":[{"type":"em"}]},{"type":"text","text":"policy which, in itself, only reports CSP violations but does not actually enforce the policy. Further discussions with the development team revealed that the intent is to eventually ship this as a regular CSP."}]},{"type":"paragraph","content":[{"type":"text","text":"Following recommendations proposed by the CSP standard, Cure53 advises adopting a policy based around the "},{"type":"text","text":"strict-dynamic ","marks":[{"type":"em"}]},{"type":"text","text":"source directive and closely following the best practices outlined in the specification."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"153274","self":"https://sonarsource.atlassian.net/rest/api/3/issue/153274","key":"SSF-474","fields":{"summary":"SOC-07-005 WP1: Suboptimal session expiration time","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"The JWT expiration time is set to about 24 hours after creation. However, long session expiration times generally raise the risk of an account being exposed or a token being reused by an attacker in case of leakage."}]},{"type":"paragraph","content":[{"type":"text","text":"The decoded sample token below was last refreshed almost 24 hours ago and is set to expire two hours afterward. Thus, it can still be used to fetch user information, update the profile, and create more tokens."}]},{"type":"paragraph","content":[{"type":"text","text":"Example JWT:","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"type":"text","text":"{\"alg\":\"HS256\"}.\n{\"lastRefreshTime\":\"AYpFZPQM9b-1693485869458,\"xsrfToken\":\"rtmo4s6q5fr4hq328v9bu8sj1c\",\n\"jti\":\"AYpFZPQM9b-XVRORrUXI\",\"sub\":\"AYo636h3tR11lBa6v12i\",\"iat\":1693381358,\n\"exp\":1693572269}"}]},{"type":"paragraph","content":[{"type":"text","text":"It is recommended to enforce relatively short expiration times with the ability to refresh and keep a session alive. Tokens that have been inactive for a longer period of time, usually around 20 minutes, should expire. There is always the option of letting the users opt-in when logging in with a “"},{"type":"text","text":"remember me","marks":[{"type":"em"}]},{"type":"text","text":"” button or similar, which would prolong the session for users who wish to do so."}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"142247","self":"https://sonarsource.atlassian.net/rest/api/3/issue/142247","key":"SSF-409","fields":{"summary":"SOC-06-008 WP2: Timing-unsafe string comparisons in Lambda functions (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"Multiple Lambda functions are making use of timing-unsafe comparison operators when validating user-input with sensitive "},{"type":"text","text":"authentication ","marks":[{"type":"em"}]},{"type":"text","text":"secrets. The runtime of those operators correlates with the number of equivalent prefix bytes. This introduces the risk of attackers measuring the runtime of those operators in order to derive information about the "},{"type":"text","text":"authentication ","marks":[{"type":"em"}]},{"type":"text","text":"secrets character-by-character. As this attack is extremely difficult to execute and heavily relies on environmental factors - like network speed and congestion - it poses no threat at present. "}]}]}}},{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"142243","self":"https://sonarsource.atlassian.net/rest/api/3/issue/142243","key":"SSF-405","fields":{"summary":"SOC-06-004 WP2: Overly permissive IAM objects (Info)","description":{"type":"doc","version":1,"content":[{"type":"paragraph","content":[{"type":"text","text":"An analysis of the IAM policies analysis revealed that the current delegation schema adopted by SonarCloud should be considered overly permissive. The delegation schema used at present heavily relies on using wildcard permissions for resources and actions. This should not be regarded as a sound security practice due to the risk of delegating overly permissive access to groups and users attached to any given policy configured using wildcards. "}]},{"type":"paragraph","content":[{"type":"text","text":"In addition to this, it was observed that some of the policies use an element called "},{"type":"text","text":"NotAction","marks":[{"type":"em"}]},{"type":"text","text":"3","marks":[{"type":"subsup","attrs":{"type":"sup"}}]},{"type":"text","text":", which is a complex element that explicitly matches everything except for the specified list of actions. Using "},{"type":"text","text":"NotAction ","marks":[{"type":"em"}]},{"type":"text","text":"in conjunction with "},{"type":"text","text":"Effect: Allow ","marks":[{"type":"em"}]},{"type":"text","text":"can result in a weaker policy by effectively only listing a few actions that should not match. Taken together, inappropriate usage of this combination makes the policy too permissive and can eventually lead to unauthorized access. "}]},{"type":"paragraph","content":[{"type":"text","text":"Excerpt from wildcard * configuration: ","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"arn:aws:iam::aws:policy/AdministratorAccess "}]}]}]},{"type":"paragraph","content":[{"type":"text","text":"◦ IAMRoles-AdminRole-49Y4TCBLLSWK "}]},{"type":"paragraph","content":[{"type":"text","text":"◦ aws-controltower-AdministratorExecutionRole "}]},{"type":"paragraph","content":[{"type":"text","text":"◦ stacksets-exec-4798bcd0b06cd1aadf3ab9db6a9376f1 "}]},{"type":"paragraph","content":[{"type":"text","text":"◦ AWSControlTowerExecution "}]},{"type":"paragraph","content":[{"type":"text","text":"◦ All-Services-Pipeline-Prod-CodeBuildRole728CBADE-1TT0TPDVEEC2 "}]},{"type":"paragraph","content":[{"type":"text","text":"◦ Maintenance-PurgeIssuesCh-DeleteOrphansJobRole9911-GA4XWIDUA6VA ◦ AWSReservedSSO_ISTElevatedProduction_e257fb9c1e435754 "}]},{"type":"paragraph","content":[{"type":"text","text":"◦ AWSReservedSSO_INFElevatedProduction_298ab6054fe99f61 "}]},{"type":"paragraph","content":[{"type":"text","text":"◦ Maintenance-PurgeIssuesCh-VacuumIssuesChangesJobRo-1V2TFMNMK9KHM ◦ cdk-hnb659fds-cfn-exec-role-488059965635-eu-west-1 "}]},{"type":"paragraph","content":[{"type":"text","text":"◦ Maintenance-PurgeIssuesCh-GetOrphansJobRole928A348-U44Q8LCYT12V ◦ AWSReservedSSO_AWSAdministratorAccess_b4368618562da382 "}]},{"type":"paragraph","content":[{"type":"text","text":"◦ cdk-hnb659fds-cfn-exec-role-488059965635-eu-central-1 "}]},{"type":"paragraph","content":[{"type":"text","text":"◦ cdk-hnb659fds-cfn-exec-role-488059965635-us-east-1 "}]},{"type":"paragraph","content":[{"type":"text","text":"◦ CommunitySupport-Autoscan-AutoscanFailedLogsFuncti-1L0E3AK7OWCKU "}]},{"type":"paragraph","content":[{"type":"text","text":"\"Statement\": [ "}]},{"type":"paragraph","content":[{"type":"text","text":" { "}]},{"type":"paragraph","content":[{"type":"text","text":" \"Action\": [ "}]},{"type":"paragraph","content":[{"type":"text","text":" "},{"type":"text","text":"\"*\" ","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"type":"text","text":" ","marks":[{"type":"strong"}]},{"type":"text","text":"], "}]},{"type":"paragraph","content":[{"type":"text","text":"3 ","marks":[{"type":"subsup","attrs":{"type":"sup"}}]},{"type":"inlineCard","attrs":{"url":"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html"}},{"type":"text","text":" "}]}]}}}],"isLast":true}