CVE-2025-62292 | THREATINT

Description

In SonarQube before 25.6, 2025.3 Commercial, and 2025.1.3 LTA, authenticated low-privileged users can query the /api/v2/users-management/users endpoint and obtain user fields intended for administrators only, including the email addresses of other accounts.

PUBLISHED Reserved 2025-10-10 | Published 2025-10-10 | Updated 2025-10-10 | Assigner mitre

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-669 Incorrect Resource Transfer Between Spheres

Product status

Default status

unaffected

10.2 Community (custom) before 25.6 Community

affected

10.2 Commercial (custom) before 2025.3 Commercial

affected

2025.1 LTA (custom) before 2025.1.3 LTA

affected

References

sonarsource.atlassian.net/browse/SONAR-24830

cve.org (CVE-2025-62292)

nvd.nist.gov (CVE-2025-62292)

Download JSON