Trivy scan of latest SonarQube Developer editions reports critical vulnerability in CVE-2021-43466

SonarQube Server / Community Build
1

We scan all our images with Trivy. The latest SonarQube developer editions report a critical vulnerability with org.thymeleaf:thymeleaf-spring5. The community edition doesn’t report this vulnerability.

  • SonarQube developer Edition
  • versions: 9.2.1.49989, 8.9.3.48735, 8.9.2.46101
  • error observed (wrap logs/code around triple quote ``` for proper formatting)
# trivy image --skip-update sonarqube:9.2.1-developer                                         
2021-12-06T15:13:37.749Z        INFO    Detected OS: alpine
2021-12-06T15:13:37.749Z        INFO    Detecting Alpine vulnerabilities...
2021-12-06T15:13:37.751Z        INFO    Number of language-specific files: 1
2021-12-06T15:13:37.751Z        INFO    Detecting jar vulnerabilities...

sonarqube:9.2.1-developer (alpine 3.14.3)
=========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


Java (jar)
==========
Total: 9 (UNKNOWN: 0, LOW: 3, MEDIUM: 3, HIGH: 2, CRITICAL: 1)

<skip non-criticals in log>

------------------------------+
| org.thymeleaf:thymeleaf-spring5      | CVE-2021-43466   | CRITICAL | 3.0.12.RELEASE    |               | Template injection                    |
|                                      |                  |          |                   |               | in thymeleaf-spring5                  |
|                                      |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-43466 |
+--------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
  • steps to reproduce. Run trivy (docker image)
# trivy image --skip-update sonarqube:9.2.1-developer
  • potential workaround: the image works, but is vulnerable to attacks. Risk is unclear.
3

Hi,

I’ve unlisted your topic since you’re reporting a vulnerability. Our responsible disclosure policy asks that you email security@sonarsource.com rather than making public posts. But I’ll let them know about this thread.

 
Ann

1 Like
4

Hi @tallandtree and welcome to the community :wave:

Thank you for bringing this to us.

We know people use a variety of tools to scan for vulnerabilities in third-party software, and this is also part of our own Secure Software Development Lifecycle, as is semi-annual external penetration testing.
Our pen-testing vendor, Cure53 has published the April 2021 test of SonarQube 8.9 LTS and the October 2021 test of SonarQube 9.1.
Neither test found issues of any significance.

After investigating the vulnerability you reported, we can share that this vulnerability does not impact SonarQube or create an exposure. As such, we view the reported vulnerabilities as non-application impacting.

We encourage users to read our security recommendations and employ their own network policies to ensure that only allowed traffic is
passed among systems and that traffic is encrypted if required by internal policy.

Thank you again for bringing this to us. We take all disclosures seriously and investigate them thoroughly. If you find anything else in the future, please do report it to security@sonarsource.com. Getting your reports helps us ensure our software is a secure part of the build chain for you and all our other users.

4 Likes