PT-2024-32887 · Sonarsource · Sonarqube
Published
2024-10-04
·
Updated
2025-09-04
·
CVE-2024-47911
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SonarSource SonarQube versions 10.4 through 10.5 before 10.6
Description
A vulnerability was discovered in the "authorizations/group-memberships" API endpoint that allows SonarQube users with the administrator role to inject blind SQL commands. This issue affects the specified versions of SonarSource SonarQube.
Recommendations
For SonarSource SonarQube versions 10.4 through 10.5 before 10.6, update to version 10.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the "authorizations/group-memberships" API endpoint until a patch is applied.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sonarqube