we are using Sonarqube 126.96.36.199951 with
./lib/server/tomcat-embed-core-8.5.38.jar and Sonarqube 188.8.131.52863 with
We wanted to make sure that these installations are not affected by CVE-2020-9484 which is described as:
Apache Tomcat contains a flaw in the PersistenceManager that is triggered as the contents and name of a file may be insecurely deserialized. With a specially crafted request, an authenticated remote attacker can potentially execute arbitrary code.
This vulnerability is only present if the PersistenceManager is configured to be used with a file store and with sessionAttributeValueClassNameFilter=“null”. Furthermore the attacker must know the relative file path from the storage location used by FileStore.
The Apache Software Foundation -> Apache Tomcat -> 7.0.104 The Apache Software Foundation -> Apache Tomcat -> 8.5.55 The Apache Software Foundation -> Apache Tomcat -> 9.0.35 The Apache Software Foundation -> Apache Tomcat -> 10.0.0.M5
However, I could not find anything in the Sonarqube configuration in regards to the
PersistenceManager being in use or not.
There is also nothing regarding this CVE in Sonarqubes issue tracker at https://jira.sonarsource.com/projects/SONAR/issues/
Thanks in advance!
Florian from Audi Business Innovation.