On January 30, 2024, @ThornableGupture notified us of a vulnerability in SonarQube 10.3 that potentially exposed encrypted parameters — such as secret keys — to users with access to SonarQube logs or proxy logs. The vulnerability was fixed with SONAR-21559 and released in SonarQube 10.4 and 9.9.4 LTA on February 7, 2024.
Any SonarQube instance that has not already upgraded past 10.3 or 9.9.3 should be upgraded as soon a possible. The latest version of SonarQube is 10.5.1, and the current LTA is 9.9.5. As a best practice, SonarQube instances should always be kept up to date with either the latest version or the highest LTA patch version.
We want to thank @ThornableGumpture for their clear, thorough, and timely vulnerability report. We are grateful for this report and for the Sonar community’s ongoing support in improving the quality and security of our products.