Primary

Context

SonarQube GitHub Action Command Injection Vulnerability

Vulnerability

A command injection vulnerability has been identified in the SonarQube GitHub Action, specifically in versions 4.0.0 prior to 6.0.0. This vulnerability arises when workflows on Windows runners pass user-controlled input to the 'args' parameter without adequate validation. As a result, the vulnerability bypasses a previous security fix, allowing arbitrary command execution. This exploitation could lead to the exposure of sensitive environment variables and compromise the runner environment.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected Windows runner, potentially leading to exposure of sensitive environment variables and compromise of the runner environment.

Remediation

Users are advised to upgrade to SonarQube GitHub Action version 6.0.0 or later.

Added: Sep 26, 2025, 5:17 PM

Updated: Sep 26, 2025, 5:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.8

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.8

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SonarQube GitHub Action Command Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating