CVE-2025-58178
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-77
Neutralización incorrecta de elementos especiales usados en un comando (Inyección de comando)
Fecha de publicación:
02/09/2025
Última modificación:
02/09/2025
Descripción
*** Pendiente de traducción *** SonarQube Server and Cloud is a static analysis solution for continuous code quality and security inspection. In versions 4 to 5.3.0, a command injection vulnerability was discovered in the SonarQube Scan GitHub Action that allows untrusted input arguments to be processed without proper sanitization. Arguments sent to the action are treated as shell expressions, allowing potential execution of arbitrary commands. A fix has been released in SonarQube Scan GitHub Action 5.3.1.
Impacto
Puntuación base 3.x
7.80
Gravedad 3.x
ALTA
Referencias a soluciones, herramientas e información
- https://community.sonarsource.com/t/security-advisory-sonarqube-scanner-github-action/147696
- https://github.com/SonarSource/sonarqube-scan-action/commit/016cabf33a6b7edf0733e179a03ad408ad4e88ba
- https://github.com/SonarSource/sonarqube-scan-action/pull/200
- https://github.com/SonarSource/sonarqube-scan-action/security/advisories/GHSA-f79p-9c5r-xg88
- https://sonarsource.atlassian.net/browse/SQSCANGHA-101