Thymeleaf vulnerability impact?

Tom_Warner · January 10, 2025, 5:00pm

Our security scanner is picking up thymeleaf-3.0.14.RELEASE located within sonar-security-java-frontend-plugin-9.9.0.19083.jar in our sonarqube server installation as vulnerable to CVE-2023-38286.

My questions are:

Is sonarqube server impacted by this CVE?
Are there plans to update thymeleaf in future LTA releases of sonarqube server? If so is there an estimate of when the update would be released?
Is it possible to patch sonar-security-java-frontend-plugin directly? Is there already a newer version that contains an updated thymeleaf that I can install?

File location: /opt/sonarqube/lib/extensions/sonar-security-java-frontend-plugin-9.9.0.19083.jar:META-INF/lib/thymeleaf-3.0.14.RELEASE.jar

Must-share information:

which versions are you using: SonarQube Server Enterprise 9.9.8.100196
how is SonarQube deployed: installed from zip into a docker image
what are you trying to achieve: determine impact of potential vulnerability
what have you tried so far to achieve this: N/A

Colin · January 10, 2025, 5:22pm

Hi,

I’ve unlisted your topic since you’re reporting a vulnerability. Our responsible disclosure policy asks that you email security@sonarsource.com rather than making public posts. Could you please re-send this to security@sonarsource.com?

Thanks!

Topic		Replies	Views
Trivy scan of latest SonarQube Developer editions reports critical vulnerability in CVE-2021-43466 SonarQube Server / Community Build sonarqube	4	1146	December 9, 2021
Thymeleaf errors appears SonarQube Cloud java , security , sonarqube-cloud	9	2254	February 26, 2020
SonarQube, SonarCloud, and Spring4Shell Sonar Updates	11	4053	June 23, 2022
Depencencies' vulnerabilities on Sonarqube Community 10.0.0 SonarQube Server / Community Build	5	397	June 8, 2023
CVE-2022-42889 effect on SonarQube SonarQube Server / Community Build security , cve	27	6873	November 25, 2022

Thymeleaf vulnerability impact?

Related topics