Sonar will submit a new CVE for a SonarQube vulnerability this week. We want to ensure that the Sonar community and our customers are aware before the CVE is made public.
The fix was released in versions 9.9.6 LTA and 10.6 on 25 June 2024; there is no known exploitation. Any exploitation of this vulnerability would require Administrator access to SonarQube; the CVSS score will be 6.7 (medium severity).
Discovered by independent security researchers on Apr 26, 2024, the vulnerability allowed a malicious actor with a SonarQube Administrator role to use blind SQL injection commands using the authorizations/group-memberships API endpoint.
In addition to fixing this issue, the latest bug fixes and security patches are also available in 9.9.7 LTA and 10.7. We strongly advise all users who are still using early versions to upgrade to the latest versions as soon as possible.
We would like to thank the security researchers Chaiwat Thongyaem and Alec Romano for their contributions to our continuous endeavor to ensure the security of our products.