Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.sonarsource.sonarqube/sonar-web@6.3

Type maven

Namespace org.sonarsource.sonarqube

Name sonar-web

Version 6.3

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

url VCID-1u3d-yvvy-53an

vulnerability_id VCID-1u3d-yvvy-53an

summary In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc).

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-38460

reference_id

reference_type

scores

value	0.00184
scoring_system	epss
scoring_elements	0.40138
published_at	2026-06-13T12:55:00Z

value	0.00184
scoring_system	epss
scoring_elements	0.40127
published_at	2026-06-14T12:55:00Z

value	0.00184
scoring_system	epss
scoring_elements	0.40115
published_at	2026-06-12T12:55:00Z

value	0.00184
scoring_system	epss
scoring_elements	0.39945
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-38460

reference_url

https://github.com/SonarSource/sonarqube

reference_id

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/SonarSource/sonarqube

reference_url

https://github.com/SonarSource/sonarqube/commit/48f43d6a3bf9bbd7c9b58eb5cde635572184ad01

reference_id

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/SonarSource/sonarqube/commit/48f43d6a3bf9bbd7c9b58eb5cde635572184ad01

reference_url

https://community.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187

reference_id

108187

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:H/S:U/UI:N

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-17T13:43:22Z/

url

https://community.sonarsource.com/t/sonarqube-ce-10-3-0-leaking-encrypted-values-in-web-server-logs/108187

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-38460

reference_id

CVE-2024-38460

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-38460

reference_url

https://github.com/advisories/GHSA-hw2c-8xgw-mf57

reference_id

GHSA-hw2c-8xgw-mf57

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hw2c-8xgw-mf57

reference_url

https://sonarsource.atlassian.net/browse/SONAR-21559

reference_id

SONAR-21559

reference_type

scores

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:H/S:U/UI:N

value	4.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-17T13:43:22Z/

url

https://sonarsource.atlassian.net/browse/SONAR-21559

fixed_packages

url	pkg:maven/org.sonarsource.sonarqube/sonar-web@9.9.4
purl	pkg:maven/org.sonarsource.sonarqube/sonar-web@9.9.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.sonarsource.sonarqube/sonar-web@9.9.4

aliases CVE-2024-38460, GHSA-hw2c-8xgw-mf57

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1u3d-yvvy-53an

Fixing_vulnerabilities

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.sonarsource.sonarqube/sonar-web@6.3

Package Instance