SonarQube Scanner GitHub Action Command Injection Vulnerability

A command injection vulnerability has been identified in the SonarQube Scanner GitHub Action, affecting versions 4.0.0 through 5.3.0. The vulnerability allows untrusted input arguments to be processed without adequate sanitization, treating them as shell expressions and potentially enabling the execution of arbitrary commands.

Impact

Exploitation of this vulnerability allows for command injection, where an attacker can execute arbitrary commands on the server where the GitHub Action is running.

Reproduction

The vulnerability can be reproduced by using the SonarQube Scanner GitHub Action with input arguments that include crafted payloads exploiting the command injection flaw. This can be done by pushing a commit to a repository that includes a GitHub Actions workflow file referencing the vulnerable version of the SonarQube Scanner Action. The workflow can be triggered manually or automatically, depending on the repository settings.

Remediation

Users can upgrade to SonarQube Scanner GitHub Action version 5.3.1 or later, where this vulnerability has been patched.