CVE-2021-23337 in Sonarqube 8.7

• which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension): Sonarqube 8.7 build 41497
• problem: lodash 4.17.20 is included in 8.7 but it has discovered CVE-2021-23337. This cause 8.7 has CVE-2021-23337
• Requirement: release a fix asap as lodash has release a urgent security fix 4.17.21 Security Vulnerability with lodash@4.17.20 · Issue #5083 · lodash/lodash · GitHub. Please let us know is there any plan to release security fix and when.

thanks

Hi @RBHuang ,

i have temporary unlisted your post to triage it. please note for future reference that we have a responsible disclosure guide and this forum is not the best place to report possible security findings in sonarsource products.

i will come back to you when we checked the exposure to this vulnerability, but most likely we are not vulnerable to this CVE as we do constant dependency scanning.

Hi @RBHuang ,

as already guessed i can confirm that sonarqube 8.7 is not vulnerable to CVE-2021-23337. while we do ship the version of lodash that is vulnerable to this CVE, it can not be exploited in this context.
I can also confirm that lodash is already updated on our current development branch, so the next sonarqube release will include a version of lodash that includes the fix for CVE-2021-23337.

hope this answers your security concern and if you agree i would re list this topic if other users have the same question

hi, Tobias, Got it and will follow the principle to properly update security related issue late on.

Thanks for your timely update and confirmation. Please list this question as I do need such information to let our security team to check as well. thanks again.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.