Home

Description

In SonarQube before 25.6, 2025.3 Commercial, and 2025.1.3 LTA, authenticated low-privileged users can query the /api/v2/users-management/users endpoint and obtain user fields intended for administrators only, including the email addresses of other accounts.

PUBLISHED Reserved 2025-10-10 | Published 2025-10-10 | Updated 2025-10-10 | Assigner mitre




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-669 Incorrect Resource Transfer Between Spheres

Product status

Default status
unaffected

10.2 Community before 25.6 Community
affected

10.2 Commercial before 2025.3 Commercial
affected

2025.1 LTA before 2025.1.3 LTA
affected

References

sonarsource.atlassian.net/browse/SONAR-24830

cve.org (CVE-2025-62292)

nvd.nist.gov (CVE-2025-62292)

Download JSON