Which SonarQube Community version mitigates CVE-2024-1597?

Hi,

We are running a SonarQube Community Build 9.0.1 image (deployed via Helm), with the org.postgresql_postgresql jar package having this issue.

Helm Charts:

• SonarQube: sonarqube-1.1.3_107
• PostgreSQL: postgresql-10.4.8

https://nvd.nist.gov/vuln/detail/cve-2024-1597

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.

Is there a Community Build version that mitigates this CVE?
If not, is there a future release version that will?

Thank you!

Hi,

Your version is past EOL. You should upgrade to either the latest version or the current LTA (long-term active version) at your earliest convenience. Your upgrade path is:

9.0.1 → 9.9.7 → 10.7 (last step optional)

You may find these resources helpful:

• Upgrade Guide
• LTS-to-LTS Upgrade Notes for 7.9 to 8.9
• LTS to LTS release upgrade notes for 8.9 to 9.9

If you have questions about upgrading, feel free to open a new thread for that here.

With all that being said, SonarQube is not vulnerable to this CVE in any version, because we don’t use preferQueryMode=simple. SonarQube v10.7 contains an updated version of the driver (42.7.3) that won’t raise this CVE.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.