CVE-2024-47911

MEDIUM

SonarQube 10.4-10.5 - Authenticated Blind SQL Injection via Authorizations Group-Memberships API

Title source: llm
STIX 2.1

Description

In SonarSource SonarQube 10.4 through 10.5 before 10.6, a vulnerability was discovered in the authorizations/group-memberships API endpoint that allows SonarQube users with the administrator role to inject blind SQL commands.

References (1)

Core 1
Core References
Issue Tracking, Third Party Advisory
https://sonarsource.atlassian.net/browse/SONAR-22340

Scores

CVSS v3 6.7
EPSS 0.0044
EPSS Percentile 35.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (1)
sonarsource/sonarqube 10.4 - 10.6
Published Oct 04, 2024
Tracked Since Feb 18, 2026