CVE-2025-47910

CVE-2024-47910 refers to a vulnerability in SonarSource SonarQube before versions 9.9.5 LTA and 10.x before 10.5. It allows a SonarQube user with the Administrator role to modify an existing configuration of a GitHub integration to exfiltrate a pre-signed JWT. The vulnerability is related to improper access control in the GitHub integration configuration. If exploited, this vulnerability could lead to the exposure of sensitive authentication tokens, potentially allowing unauthorized access to integrated GitHub resources. The vulnerability has been fixed in SonarQube versions 9.9.5 LTA and 10.5, which were released on June 25, 2024. The fix involves forcing administrators to provide a Private Key for verification when modifying the GitHub API URL. Users are advised to upgrade to these versions or later.