Publish GHSA-5xq9-5g24-4g6f

Author: advisory-database[bot]

advisories/github-reviewed/2025/09/GHSA-5xq9-5g24-4g6f/GHSA-5xq9-5g24-4g6f.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5xq9-5g24-4g6f",
-  "modified": "2025-09-26T19:26:41Z",
+  "modified": "2025-09-29T14:23:15Z",
   "published": "2025-09-26T13:01:10Z",
   "aliases": [
     "CVE-2025-59844"
   ],
   "summary": "Argument injection vulnerability in SonarQube Scan Action",
-  "details": "A command injection vulnerability exists in SonarQube GitHub Action prior to v6.0.0 when workflows pass user-controlled input to the args parameter on Windows runners without proper validation. This vulnerability bypasses a previous security fix and allows arbitrary command execution, potentially leading to exposure of sensitive environment variables and compromise of the runner environment.\n\n\n### Patches\nThe vulnerability has been fixed in version v6.0.0. Users should upgrade to this version or later.\n\n\n### References\n- Community Post: https://community.sonarsource.com/t/sonarqube-scanner-github-action-v6/149281 \n- Fix release: https://github.com/SonarSource/sonarqube-scan-action/releases/tag/v6.0.0",
+  "details": "A command injection vulnerability exists in SonarQube GitHub Action prior to v6.0.0 when workflows pass user-controlled input to the args parameter on Windows runners without proper validation. This vulnerability bypasses a previous security fix and allows arbitrary command execution, potentially leading to exposure of sensitive environment variables and compromise of the runner environment.\n\n\n### Patches\nThe vulnerability has been fixed in version v6.0.0. Users should upgrade to this version or later.\n\n\n### Credits\nFrancois Lajeunesse-Robert (Boostsecurity.io)\n\n\n### References\n- Community Post: https://community.sonarsource.com/t/sonarqube-scanner-github-action-v6/149281 \n- Fix release: https://github.com/SonarSource/sonarqube-scan-action/releases/tag/v6.0.0",
   "severity": [
     {
       "type": "CVSS_V4",