We are using sonarqube : Version 6.7.2 Can we know whether in general whether sonarqube is vulnerable for CVE-2021-45105 vulnerability
Hi! Yes, it’s vulnerable, you’re using a almost 4 year-old version of SonarQube that contains this and many other vulnerabilities. You should be worried already.
A quick look at the release notes shows that you instance is also vulnerable to:
[SONAR-10608] - Vulnerabilities in Jackson JSON parser (fixed in SQ 6.7 4)
[SONAR-10661] - Fix ZipUtils vulnerability (fixed in SQ 6.7.4)
[SONAR-11071] - Fix vulnerability in SMTP server certificate verification (fixed in SQ 6.7.5)
[SONAR-11475] - Fix open redirect vulnerability (fixed in SQ 6.7.6)
[SONAR-11680] - CVE-2018-1336 / CVE-2018-8014 - Apache Tomcat (fixed in SQ 6.7.7)
[SONAR-11761] - CVE-2017-9801 - org.apache.commons_commons-email (fixed in SQ 6.7.7)
[SONAR-11783] - CVE-2018-14718, 14719, 14720, 14721 / jackson-databind (fixed in SQ 6.7.7)
[SONAR-11805] - CVE-2018-10936 CVE-2018-10936 - PostgreSQL driver (fixed in SQ 6.7.7)
[SONAR-11867] - Fix XSS in project links (fixed in SQ 6.7.7)
You should upgrade to a supported version as soon as possible.