Is Sonarqube affected by CVE-2022-1471 and CVE-2024-1597?

jyx · June 3, 2024, 3:28am

Must-share information

which versions are you using
sonarqube 9.9.3.79811 and postgres15
how is SonarQube deployed: zip, Docker, Helm
zip

Hi experts,

Two severity vulnerabilities CVE-2022-1471( SnakeYAML library for Java) and CVE-2024-1597(PostgreSQL JDBC Driver) was detected in our locally deployed sonarqube instance by a third party tool.

My questions are:

Is Sonarqube affected by CVE-2022-1471 and CVE-2024-1597?
If yes, do you have any suggestions to deal with these two vulnerabilities ?

Colin · June 3, 2024, 8:49am

Hi,

I’ve unlisted your topic since you’re reporting a vulnerability. Our responsible disclosure policy asks that you email security@sonarsource.com rather than making public posts. Could you please re-send this to security@sonarsource.com!

Thanks!

Topic		Replies	Views
Which SonarQube Community version mitigates CVE-2024-1597? SonarQube Server / Community Build	4	95	November 8, 2024
CVE-2022-42889 effect on SonarQube SonarQube Server / Community Build security , cve	27	6806	November 25, 2022
CVE-2023-4911 vulnerability in Sonar image SonarQube Server / Community Build security	2	1075	October 11, 2023
CVE-2022-22970, CVE-2022-22971 Vulnerabilities in SonarQube 8.9 LTS SonarQube Server / Community Build sonarqube , security , spring , cve	1	1448	May 9, 2023
Is CVE-2022-42889, AKA Text4Shell vulnerability impacting SonarQube SonarQube Server / Community Build security , cve	1	1496	October 21, 2022

Is Sonarqube affected by CVE-2022-1471 and CVE-2024-1597?

Related topics