Are Sonarqube < 8.6 or < 7.9.6 really vulnerable to JWT "none" algorithm attack?

I am checking the Sonarqube 8.6 release notes and it contains the following ticket:

Fix a vulnerability in the JWT implementation
JWT implementation is vulnerable to the “none” algorithm attack.

The “none” algorithm vulnerability is a very critical one so I was surprised that there were no mention of that fix in the announcement.

Moreover, I checked the commit that fix the related ticket, SSF-134 Fail to parse jwt using ‘none’ algorithm, and it doesn’t seem that the vulnerability was present, the change seems to fix just a crash and not a security vulnerability. And the commit message does not mention the security vulnerability either.

So my question is:
Are Sonarqube < 8.6 or < 7.9.6 really vulnerable to JWT “none” algorithm attack? Or is this a mistake in the Jira ticket description?

1 Like

Hi @Sablegot,

Welcome to the community forum!

SonarQube 7.9.5 LTS is not affected.
A risk was present only in the most recent versions of 8.x and we effectively fixed it with SonarQube 8.6.


Hi @Chris,

Thanks for your answer,

Can you elaborate the “risk” which you are talking about?

It’s just that if every sonarqube <8.6 instance out there are vulnerable to the “none” algorithm attack it’s kind a very critical security issue no? That would mean that anybody can log-in into any sonarqube <8.6 instance.

Or maybe I misunderstood the Jira ticket and you are talking about another risk?

Many Thanks,

Hi @Sablegot,

It was an hardly exploitable weakness in the case of SonarQube. It would basically require to acquire the session from the user.
Be reassured, the issue does not allow everyone to log-in and, as mentioned previously, only a few versions of SonarQube (8.4, 8.5) were impacted.


Thank you for your explanation and transparency, @Chris !