CVE-2013-5676: Jenkins SonarQube Plugin Stores Passwords in Cleartext

May 17, 2022 (updated March 13, 2025)

The Jenkins Plugin for SonarQube 3.7 and earlier allows remote authenticated users to obtain sensitive information (cleartext passwords) by reading the value in the sonar.sonarPassword parameter from jenkins/configure.

References

github.com/advisories/GHSA-3x9h-3p7m-33m7
github.com/jenkinsci/sonarqube-plugin
nvd.nist.gov/vuln/detail/CVE-2013-5676

Detect and mitigate CVE-2013-5676 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →