Sonar will submit a new CVE for a SonarQube vulnerability this week. We want to ensure that the Sonar community and our customers are aware before the CVE is made public. The fix was released in versions 9.9.5 LTA and 10.5 on 25 June; there is no known exploitation. Any exploitation of this vulnerability would require Administrator access to SonarQube; the CVSS score will be 6.5 (medium severity).
Discovered by security researchers at Synacktiv on February 19, 2024, the vulnerability allowed a malicious SonarQube user with the Administrator role to modify an existing configuration of a GitHub integration to exfiltrate a pre-signed JWT. The vulnerability is mitigated by forcing administrators to provide a Private Key for verification when modifying the GitHub API URL.
In addition to fixing this issue, the latest bug fixes and security patches are now available in 9.9.6 LTA and 10.6. We strongly advise all users who are still using early versions to upgrade to the latest versions as soon as possible.
We would like to thank the security researchers Clément Amic and Hugo Vincent at Synacktiv for their contributions to our continuous endeavor to ensure the security of our products.