{"id":"CVE-2020-28002","details":"In SonarQube 8.4.2.36762, an external attacker can achieve authentication bypass through SonarScanner. With an empty value for the -D sonar.login option, anonymous authentication is forced. This allows creating and overwriting public and private projects via the /api/ce/submit endpoint.","modified":"2026-04-10T04:19:05.460498Z","published":"2020-11-02T21:15:30.117Z","references":[{"type":"EVIDENCE","url":"https://csl.com.co/sonarqube-auditando-al-auditor-parte-ii/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sonarsource/sonarqube","events":[{"introduced":"0"},{"last_affected":"2de1f343e3dbd9e88007b42e475512677c04eb8a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"8.4.2.36762"}]}}],"versions":["2.6","3.4","5.2-RC1","5.2-RC2","5.4-M10","5.4-M11","5.4-M12","5.4-M13","5.4-M2","5.4-M3","5.4-M4","5.4-M5","5.4-M6","5.4-M7","5.4-M8","5.4-M9","5.5-M1","5.5-M10","5.5-M11","5.5-M12","5.5-M13","5.5-M14","5.5-M2","5.5-M3","5.5-M4","5.5-M5","5.5-M6","5.5-M7","6.3-RC1","6.3.0.18401","6.5-M2","7.5","7.6","7.7","7.8","8.0","8.2.0.32929","8.3.0.34182","8.4.0.35506","8.4.1.35646","8.4.2.36762","latest-silver-master-#65"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28002.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}