Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-3330

Security problem (can easily "by pass" sonar authentication & authorization)

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 2.13.1
    • Fix Version/s: None
    • Labels:
      None

      Description

      Security problem (can easily "by pass" sonar authentication & authorization).
      In my enterprise, we have a lot of publishers (from many jenkins, teamcity, ...) to sonar instance.
      Our sonar have authentification (LDAP), authorization and we have some sensitive code (not accessible by everyone).
      The problem is if you give the jdbc login/password to a project, you can easily "by pass" the security by creating a new sonar instance and connecting it directly on the database.

      Can you fix this problem? Having some roles on the db user?

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              schumnana Alexandre Navarro
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: