sonarsource

Top products

The 15 most recently published vulnerabilities affecting sonarsource.

• CVE-2025-62292In SonarQube before 25.6, 2025.3 Commercial, and 2025.1.3 LTA, authenticated low-privileged users can query the /api/v2/users-management/users endpoint and obtain user fields intended for administr...4.3Oct 10, 2025
• CVE-2025-58178Command Injection via sonarqube-scan-action GitHub Action7.8Sep 2, 2025
• CVE-2024-47911In SonarSource SonarQube 10.4 through 10.5 before 10.6, a vulnerability was discovered in the authorizations/group-memberships API endpoint that allows SonarQube users with the administrator role t...6.7Oct 4, 2024
• CVE-2024-38460In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as Sona...4.9Jun 16, 2024
• CVE-2023-33265In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the...8.8Jul 18, 2023
• CVE-2023-33264In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, configuration routines don't mask passwords in the member configuration properly. This allows Hazelcast Management Center users...4.3May 22, 2023
• CVE-2022-45868The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the w...8.4Nov 23, 2022
• CVE-2022-45047Apache MINA SSHD: Java unsafe deserialization vulnerability9.8Nov 16, 2022
• CVE-2022-40152Stack Buffer Overflow in Woodstox6.5Sep 16, 2022
• CVE-2022-24823Local Information Disclosure Vulnerability in io.netty:netty-codec-http5.5May 6, 2022
• CVE-2021-43797HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling6.5Dec 9, 2021
• CVE-2021-37137The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was rece...7.5Oct 19, 2021
• CVE-2020-28491Denial of Service (DoS)7.5Feb 18, 2021
• CVE-2020-35193The official sonarqube docker images before alpine (Alpine specific) contain a blank password for a root user. System using the sonarqube docker container deployed by affected versions of the docke...9.8Dec 15, 2020
• CVE-2020-28002In SonarQube 8.4.2.36762, an external attacker can achieve authentication bypass through SonarScanner. With an empty value for the -D sonar.login option, anonymous authentication is forced. This al...5.3Oct 30, 2020