CVE-2020-27986 (Sonarqube sensitive information leak) vulnerability fix

I. Vulnerability Repair Instructions

The fix for sonarqube's vulnerability CVE-2020-27986.

SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN and GitLab credentials via the api/settings/values ​​URI.Note: According to reports, the vendor's stance on SMTP and SVN is that "it is the responsibility of the administrator to configure it".

The vulnerability was disclosed in October 2020. Recently, many foreign media broke the news of multi-origin code leakage incidents, involving SonarQubeCode Audit Platform.

Second, the vulnerability attack recurrence

Direct access can see a lot of unauthorized API information

http://192.168.11.100:9000/api/settings/values

You can also get interface information

http://192.168.11.100:9000/api/webservices/list

3. Bug fixes

Affected versions of this vulnerability

SonarQube < 8.6

Secure version

SonarQube >=8.6

Fix 1: If the sonarqube version is lower than 8.6, please upgrade the version

Actually, the sonarqube of our environment is 9.3, which is also scanned for vulnerabilities

Consideration is a problem with our sonarqube settings

Find the answer on the security settings page of the sonarqube official website

https://docs.sonarqube.org/latest/instance-administration/security/

It turned out to be convenient for R&D access, sonarqube closed the Force user authentication function

See the description above, if disabled, it will allow anonymous users to access the sonarqube UI or get project data through the web api.

Enable Sonarqube's Force user authentication function to prohibit unauthorized users from accessing SQ.