Sonarqube 10.4.1 / Security Issue CVE-2024-22243

pst · March 21, 2024, 9:49am

Hi,

Sonarqube is affected by Spring “Framework Open Redirect Vulnerability” (CVE - CVE-2024-22243). Please quickly update the Spring Framework to 5.3.33 or higher

This vulnerable jar come with 10.4.1:
$ find . -name “spring*”
…
./web/deploy/plugins/securityjavafrontend/META-INF/lib/spring-core-5.3.28.jar
…

Colin · March 21, 2024, 10:05am

Hi,

I’ve unlisted your topic since you’re reporting a vulnerability. Our responsible disclosure policy asks that you email security@sonarsource.com rather than making public posts. Could you please re-send this to security@sonarsource.com!

Thanks!

pst · March 21, 2024, 10:25am

The CVE is official already??? Don’t you have securtiy scans for your software???

Topic		Replies	Views
SonarQube, SonarCloud, and Spring4Shell Sonar Updates	11	4049	June 23, 2022
CVE-2022-22970, CVE-2022-22971 Vulnerabilities in SonarQube 8.9 LTS SonarQube Server / Community Build sonarqube , security , spring , cve	1	1456	May 9, 2023
Spring4Shell ::Spring Framework Remote Code Execution Vulnerability SonarQube Server / Community Build sonarqube	3	2114	April 1, 2022
IS Sonar Developer edition version 9.2.4 affected by Spring Framework Vulenrability CVE-2022-22963 SonarQube Server / Community Build sonarqube , scanner	3	848	April 4, 2022
Is sonarqube affected by Spring Framework Remote Code Execution Vulnerability SonarQube Server / Community Build java , sonarqube	2	1172	April 1, 2022

Sonarqube 10.4.1 / Security Issue CVE-2024-22243

Related topics