IS Sonar Developer edition version 9.2.4 affected by Spring Framework Vulenrability CVE-2022-22963

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    Developer Edition 9.2.4

  • what are you trying to achieve
    We have deployed Sonarqube in AWS ec2 instance. Wanted to know this version fo Sonar is effected or not with Spring Framwork vulnerability

  • If it is impacted please guide us with Recommendations

Hey there.

SonarQube is not impacted.

1 Like

Even for 9.3 developer edition, I assume SQ is not impacted. Please correct me if I am wrong.

I would also like to see an announcement from Sonarqube - as done with Log4Shell SonarQube, SonarCloud, and the Log4J vulnerability - #142 by jf2009 - about if Sonarqube 8.9.x LTS, 9.x are affected or not.

SonarQube 8.9.7 and 8.9.8 has


which caused our scanner to trigger an incident regarding the CVE.

UPDATE: SonarQube, SonarCloud, and Spring4Shell