CNNVD-202509-222 Information

Sep 02, 2025 cve

CNNVD ID

CNNVD-202509-222

CVE-2025-58178

  • CNNVD Published: 2025-09-02

Description (Chinese)

SonarQube Server是英国Sonar公司的一个代码质量与安全审计平台。 SonarQube Server 4至5.3.0版本存在命令注入漏洞,该漏洞源于SonarQube Scan GitHub Action命令注入,可能导致执行任意命令。

Description (English)

SonarQube Server is a code quality and safety audit platform for Sonar. The SonarQube Server 4 to 5.3.0 contains a command-injecting loophole that originates in the SonarQube Scan GitHub Action order and may lead to the execution of arbitrary orders.

Hazard Level

Medium

Vulnerability Type

命令注入

Affected Vendor

Sonar

Published

2025-09-02

Last Modified

2026-02-24

References

https://sonarsource.atlassian.net/browse/SQSCANGHA-101 https://github.com/SonarSource/sonarqube-scan-action/security/advisories/GHSA-f79p-9c5r-xg88 https://github.com/SonarSource/sonarqube-scan-action/pull/200 https://github.com/SonarSource/sonarqube-scan-action/commit/016cabf33a6b7edf0733e179a03ad408ad4e88ba https://community.sonarsource.com/t/security-advisory-sonarqube-scanner-github-action/147696 https://access.redhat.com/security/cve/cve-2025-58178 https://nvd.nist.gov/vuln/detail/CVE-2025-58178

Patch

https://github.com/SonarSource/sonarqube-scan-action/releases

Share on: