Sonarqube vulnurability CVE-2020

sonar_man · August 20, 2021, 2:49pm

Hi guys sorry for my question
i uses sonarqube 8.4.2.36762 and we find for this version vulnerability CVE-2020-28002
but i can found any fix info in new version?
it fixed?

ganncamp · August 20, 2021, 5:50pm

Hi

SonarQube 8.4.* is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

8.4.2-> 8.9.2 → 9.0.1 (last step optional)

You may find the Upgrade Guide helpful.

~~Regarding your actual question, that CVE was addressed in 8.6 with~~

~~SONAR-13992 - Upgrade Apache httpclient to 4.5.13~~

HTH,
Ann

2023 Edit: It’s been pointed out to me that I got my wires crossed with the part of the answer that’s now crossed out. In fact, CVE-2020-28002 is a false positive, since it highlights the fact that anonymous access to SonarQube exposes data - which is self-evident when anonymous access is allowed. And since at least 8.9(.0) anonymous access is no longer the default.

sonar_man · August 25, 2021, 7:34am

Thanks

system · September 1, 2021, 7:34am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
CVE-2022-22970, CVE-2022-22971 Vulnerabilities in SonarQube 8.9 LTS SonarQube Server / Community Build sonarqube , security , spring , cve	1	1455	May 9, 2023
CVE-2021-23337 in Sonarqube 8.7 SonarQube Server / Community Build sonarqube	7	1039	March 25, 2021
Is there "official" sonarqube documentation that states version 9.9 is NOT impacted by CVE-2022-4288 SonarQube Server / Community Build	5	909	May 24, 2023
CVE-2021-45105 vulnerability fix SonarQube Server / Community Build security	1	1338	December 20, 2021
Enterprise EditionVersion 9.4 and CVE-2022-41852, CVE-2022-42889 SonarQube Server / Community Build sonarqube , security	2	757	November 4, 2022

Sonarqube vulnurability CVE-2020

Related topics