Dependencies Vulnerabilities Sonarqube Community 9.9

hcsrazv · February 16, 2024, 4:05am

Hello team,

We had a security scan on 9.9 LTS version of sonarqube community and returned CVE-2022-45688.

Could you please confirm whether Sonarqube is affected by CVE-2022-45688 and if so, are there plans to update the affected depenedencies?

Colin · February 16, 2024, 4:24pm

Hey there.

CVE-2022-45688 - The vulnerable method is not used in SonarQube - Not vulnerable. We will update the dependency anyways in SonarQube 10.1.

In the future, our responsible disclosure policy asks that you email security@sonarsource.com rather than making public posts.

Topic		Replies	Views
Is there "official" sonarqube documentation that states version 9.9 is NOT impacted by CVE-2022-4288 SonarQube Server / Community Build	5	894	May 24, 2023
CVE-2022-42889 effect on SonarQube SonarQube Server / Community Build security , cve	27	6758	November 25, 2022
Depencencies' vulnerabilities on Sonarqube Community 10.0.0 SonarQube Server / Community Build	5	388	June 8, 2023
Is sonarqube 9.9 LTS is covered with CVE-2022-42889 vulnerability? SonarQube Server / Community Build sonarqube	1	542	June 8, 2023
About the many CVE in sonar-plugin-api dependencies SonarQube Server / Community Build custom_rules , security	5	2081	February 8, 2022