We are using SonarQube CE 9.9.4. As we know that SonarQube is using embedded Apache Tomcat and there is a vulnerability which affects Apache Tomcat 9.0.89 and below (CVE-2024-34750). We have checked for version 10.6, the version for Apache Tomcat is at 9.0.87.
We would like to know which CE version will mitigate the CVE mentioned and when will it be released.
This is more on the security side, what is the hashing algorithm that SonarQube is using to hash the stored password in database. (Example: local accounts password)
Thank you so much for the response, looking forward forward to v10.7.
There is another question regarding about the hashing algorithm used for password stored in the database. There is a IM8 requirement and we have to comply to that for all our application used. By any chance you have an answer for this too?
Thanks Colin, that really help as we are trying to find the documentations!
Also you mentioned that SonarQube is not using HTTP2, is there any interim solution we can put in place to mitigate the CVE till the new version release in fall?
The CVE is mitigated, because SonarQube doesn’t use HTTP/2 (the vulnerable part of Tomcat is not used by SonarQube). It’s not possible to independently update this dependency.