Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-3127

Global (default) passwords get exposed to less privileged users

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0
    • Component/s: Plugin API
    • Labels:
    • Environment:
      Sonar 2.12
      Solaris

      Description

      Our enterprise environment is setup with very high security restrictions...
      The main administrator for our CI infrastructure has setup Sonar with some technical user to connect to all the different surrounding systems (e.g. SVN, Jenkins, Oracle) and has defined these connection details and passwords on the global configuration.
      This was fine until we upgraded to the latest Sonar version (2.12) - since, every administrator of a single project is able to see the passwords given by the global admin within the settings page (mention as default next to the field).
      Since this is a full no go in our company, we have deactivated every single plugin using some additional passwords to connect to any system.
      ...in fact, because of this I would rate this issue even a full blocker and a high security issues!

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              simon.brandhof Simon Brandhof (Inactive)
              Reporter:
              domi Dominik Bartholdi
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: