216.73.216.86

CVE-2025-58178

· Published 02/09/2025 01:15 · Modified 02/09/2025 15:55

Labels: CVE-2025-58178 2025-09-02CVE-2025-58178CWE-77[email protected]

Essential information

Published
02/09/2025 01:15
Modified
02/09/2025 15:55
Author
Creator
CVSS
7.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. In versions 4 to 5.3.0, a command injection vulnerability was discovered in the SonarQube Scan GitHub Action that allows untrusted input arguments to be processed without proper sanitization. Arguments sent to the action are treated as shell expressions, allowing potential execution of arbitrary commands. A fix has been released in SonarQube Scan GitHub Action 5.3.1.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
sonarqube / sonarqube cpe:2.3:a:sonarqube:sonarqube:*:5.3.0:*:*:*:*:*:*

References