CVE-2025-62292
📋 TL;DR
This vulnerability allows authenticated low-privileged users in SonarQube to access sensitive user information intended only for administrators, including email addresses of other accounts. It affects SonarQube Community Edition before version 25.6, Commercial Edition before 2025.3, and Long-Term Support Edition before 2025.1.3.
💻 Affected Systems
- SonarQube Community Edition
- SonarQube Commercial Edition
- SonarQube Long-Term Support Edition
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could harvest email addresses for phishing campaigns, identify high-value targets for credential attacks, or map organizational structure for social engineering.
Likely Case
Internal users could access email addresses of colleagues or administrators, potentially enabling targeted phishing or harassment.
If Mitigated
With proper access controls and monitoring, impact is limited to information disclosure without direct system compromise.
🎯 Exploit Status
Exploitation is straightforward - simply query the vulnerable endpoint with authenticated session.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Community: 25.6+, Commercial: 2025.3+, LTA: 2025.1.3+
Vendor Advisory: https://sonarsource.atlassian.net/browse/SONAR-24830
Restart Required: No
Instructions:
1. Backup your SonarQube instance. 2. Download the patched version from SonarSource. 3. Follow SonarQube upgrade documentation for your edition. 4. Verify the fix by testing the endpoint.
🔧 Temporary Workarounds
API Endpoint Restriction
allUse web application firewall or reverse proxy to block access to /api/v2/users-management/users for non-admin users.
# Example nginx location block
location /api/v2/users-management/users {
deny all;
allow 127.0.0.1;
# Add admin IPs
}
Network Segmentation
allRestrict access to SonarQube to only authorized users and administrators.
# Example firewall rule
# iptables -A INPUT -p tcp --dport 9000 -s trusted_network -j ACCEPT
🧯 If You Can't Patch
- Implement strict network access controls to limit SonarQube access to trusted users only.
- Monitor API logs for unauthorized access to the users-management endpoint and alert on suspicious activity.
🔍 How to Verify
Check if Vulnerable:
As an authenticated non-admin user, query GET /api/v2/users-management/users and check if email addresses are returned in the response.Check Version:
Check SonarQube web interface footer or query /api/system/status endpoint for version information.Verify Fix Applied:
After patching, repeat the vulnerable query - email addresses should not be returned for non-admin users.📡 Detection & Monitoring
Log Indicators:
- Multiple GET requests to /api/v2/users-management/users from non-admin accounts
- Unusual pattern of user enumeration
Network Indicators:
- HTTP 200 responses to /api/v2/users-management/users from non-admin IPs
- Large data transfers from the users endpoint
SIEM Query:
source="sonarqube" AND (uri_path="/api/v2/users-management/users" AND user_role!="admin")