Is SonarQube affected by the polyfill.io CVE?

bvalley · June 27, 2024, 5:04pm

Can a Sonar Source representative please post/link an explanation of the extent to which various versions of SonarQube are affected by this CVE and what (if any) actions are recommended?

Thank you!

ganncamp · June 27, 2024, 5:45pm

Hi,

I’ve unlisted your topic since you’re enquiring about a vulnerability. Our responsible disclosure policy asks that you email security@sonarsource.com rather than making public posts. Could you please re-send this to security@sonarsource.com!

Thx,
Ann

bvalley · June 27, 2024, 5:55pm

Will-do, big thanks!

bvalley · June 28, 2024, 1:40pm

Looks like we’re all good on this:

Official guidance recieved from Sonar Source - No action needed on our end

From security@sonarsource.com:

Dear Brandon,
Thank you for contacting Sonar to inquire about this vulnerability.
We can confirm that no version of SonarQube uses the polyfill library and is, therefore, not vulnerable.

system · July 5, 2024, 1:58pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is SonarQube Vulnerable to CVE-2019-18935 SonarQube Server / Community Build sonarqube , security	2	957	February 5, 2020
CVE-2021-45105 vulnerability fix SonarQube Server / Community Build security	1	1340	December 20, 2021
How can i report security bug and a CVE(Common Vulnerabilities and Exposures) for sonarqube application, whats the procedure SonarQube Server / Community Build	1	1282	December 10, 2020
Depencencies’ vulnerabilities on Sonarqube Community 10.1.0 SonarQube Server / Community Build	5	335	July 18, 2023
Identification of CVEs and old versions of thirdparty libraries with Sonarqube SonarQube Server / Community Build	3	1201	May 6, 2020

Is SonarQube affected by the polyfill.io CVE?

Related topics