Sonarqube affected by ghostcat CVE?


just to be sure, as this came up recently.
Is Sonarqube affected by this CVE due to embedded Tomcat ?


SonarQube should not be affected as we don’t use the AJP protocol – still, SonarQube will bump the version of Tomcat up in SonarQube v8.3 to remove any risk and also stop showing up on security reports. :wink:

We specifically removed the support for the AJP since SonarQube 6.1, with SONAR-7989

Still, as Colin pointed out, the fix is already merged on master and will be available with 8.3.

@Colin, @pierreguillot

:+1: Thanks for the details!