Must-share information (formatted with Markdown):
- which versions are you using :SonarQube Server
- how is SonarQube deployed: Docker
Hi
We have recently identified a critical remote code execution vulnerability affecting the Apache Tomcat server.
Here are the SonarQube versions we are currently using:
- Version: 10.3.0.82913
- Version: 2025.1.1.104738
The Tomcat versions bundled with these SonarQube releases appear to be impacted by the following vulnerability. We would like to request your assistance in confirming with the vendor when a new Docker image addressing this issue will be available.
1. Vulnerability Overview:
A critical security vulnerability (CVE-2025-24813) has been discovered in Apache Tomcat. This vulnerability could allow attackers to execute remote code, leak sensitive information, or corrupt data.
2. Impact:
Proof-of-concept exploit code for CVE-2025-24813 has already been published on GitHub, suggesting that attackers may have started actively scanning for and exploiting this vulnerability. Successful exploitation could allow an attacker to execute arbitrary code within the system environment. Depending on the system’s permissions, attackers might further install programs, view, alter, or delete data.
The following Apache Tomcat versions are affected:
- Apache Tomcat 11.0.0-M1 to 11.0.2
- Apache Tomcat 10.1.0-M1 to 10.1.34
- Apache Tomcat 9.0.0-M1 to 9.0.98
From our preliminary review, it appears that the Tomcat version used in SonarQube 25.4.0.105899 is not affected by this vulnerability. Could you please advise when the Docker image for this version will be officially released?
We appreciate your prompt attention to this matter and look forward to your confirmation.
Thank you very much.
Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!