Must-share information (formatted with Markdown):
Dear team,
we have detected that our sonarqube image is affected by the vulnerability CVE-2023-4911 | Vulnerability Database | Aqua Security. Have you analyzed whether this represents a security risk? If yes, it would be great if you could provide a hotfix with a patch for it.
Thanks a lot,
Jesús P.
Dear Jesús Pajares,
Thank you for bringing this vulnerability to our attention. We take security very seriously and appreciate your efforts in helping us to maintain a secure product.
On this occasion, the CVE-2023-4911 reported affecting the sonarqube:10.2.1-developer docker image is a false positive.
Package | Vulnerability ID | Severity | Installed Version | Fixed Version
libc-bin CVE-2023-4911 HIGH 2.35-0ubuntu3.3 2.35-0ubuntu3.4
libc6 CVE-2023-4911 HIGH 2.35-0ubuntu3.3 2.35-0ubuntu3.4
locales CVE-2023-4911 HIGH 2.35-0ubuntu3.3 2.35-0ubuntu3.4
These vulnerabilities stem from the SonarQube dependencies (base OS image eclipse-temurin) and are not inherent vulnerabilities of SonarQube itself.
Please do continue to report any vulnerabilities you find in future using our process.
How to report a vulnerability responsibly:
Follow this guide if you’ve found a vulnerability in one of SonarSource’s products or websites and you want to responsibly report it.
SonarSource customers with a support contract can report the vulnerability directly through the support channel.
Otherwise, send an email to security@sonarsource.com.
What we need from you:
Focus areas:
Public disclosure
You need to get our permission before disclosing an issue publicly. We’ll only consider your public disclosure request after we’ve fixed the reported vulnerability.
Regards,
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.