CVE-2023-4911 vulnerability in Sonar image

Must-share information (formatted with Markdown):

  • SonarQube-dev 10.2.1
  • how is SonarQube deployed: Helm

Dear team,

we have detected that our sonarqube image is affected by the vulnerability CVE-2023-4911 | Vulnerability Database | Aqua Security. Have you analyzed whether this represents a security risk? If yes, it would be great if you could provide a hotfix with a patch for it.

Thanks a lot,
Jesús P.

Dear Jesús Pajares,

Thank you for bringing this vulnerability to our attention. We take security very seriously and appreciate your efforts in helping us to maintain a secure product.

On this occasion, the CVE-2023-4911 reported affecting the sonarqube:10.2.1-developer docker image is a false positive.

Package | Vulnerability ID | Severity | Installed Version | Fixed Version
libc-bin CVE-2023-4911 HIGH 2.35-0ubuntu3.3 2.35-0ubuntu3.4
libc6 CVE-2023-4911 HIGH 2.35-0ubuntu3.3 2.35-0ubuntu3.4
locales CVE-2023-4911 HIGH 2.35-0ubuntu3.3 2.35-0ubuntu3.4

These vulnerabilities stem from the SonarQube dependencies (base OS image eclipse-temurin) and are not inherent vulnerabilities of SonarQube itself.

Please do continue to report any vulnerabilities you find in future using our process.

How to report a vulnerability responsibly:

Follow this guide if you’ve found a vulnerability in one of SonarSource’s products or websites and you want to responsibly report it.
SonarSource customers with a support contract can report the vulnerability directly through the support channel.
Otherwise, send an email to

What we need from you:

  • Detail the steps you followed that make the vulnerability exploitable including any URLs or code you used. The more information you provide, the faster we can reproduce and fix the problem.
  • Please don’t send PDF, DOC, or EXE files or reports generated by DAST products. We will not look at them. We do accept images.

Focus areas:

  • Cross-site scripting (XSS)
  • SQL injection (SQLi)
  • Cross-site request forgery (CSRF)
  • Remote code execution (RCE)
  • Cookies not used for authentication or CSRF protection, not being marked as Secure or HTTPOnly
  • Data breaches, such as data of private projects or private organizations on SonarCloud.

Public disclosure

You need to get our permission before disclosing an issue publicly. We’ll only consider your public disclosure request after we’ve fixed the reported vulnerability.


1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.