Is SonarQube vulnerable to CVE-2019-5418?

Must-share information (formatted with Markdown):

  • Version Version 9.9.3 (build 79811)
  • how is SonarQube deployed: Helm

There was a result of security scan, that the file /sonarqube/js/outJOIGNQR7.js appears to be vulnerable to CVE-2019-5418, enabling arbitrary file disclosure.
This file (also different names) is accessible without authentication.

Hi,

I’ve unlisted your topic since you’re reporting a vulnerability. Our responsible disclosure policy asks that you email security@sonarsource.com rather than making public posts. Could you please re-send this to security@sonarsource.com!

 
Thx,

Ok, thx. It was only a question, not a report. But I understand the point.