Hi guys sorry for my question
i uses sonarqube 8.4.2.36762 and we find for this version vulnerability CVE-2020-28002
but i can found any fix info in new version?
it fixed?
Hi
SonarQube 8.4.* is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:
8.4.2-> 8.9.2 → 9.0.1 (last step optional)
You may find the Upgrade Guide helpful.
Regarding your actual question, that CVE was addressed in 8.6 with
SONAR-13992 - Upgrade Apache httpclient to 4.5.13
HTH,
Ann
2023 Edit: It’s been pointed out to me that I got my wires crossed with the part of the answer that’s now crossed out. In fact, CVE-2020-28002 is a false positive, since it highlights the fact that anonymous access to SonarQube exposes data - which is self-evident when anonymous access is allowed. And since at least 8.9(.0) anonymous access is no longer the default.
Thanks
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.