CVE-2020-37020
Unquoted Service Path Vulnerability in SonarQube 8.3.1 Enables SYSTEM Access
Publication date: 2026-01-29
Last updated on: 2026-01-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sonarqube | sonarqube | 8.3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unquoted service path issue in SonarQube version 8.3.1 on Windows. Because the service executable path contains spaces but is not enclosed in quotes, a local attacker with write permissions to the service directory can place a malicious executable named 'wrapper.exe' in the path. When the SonarQube service restarts, it executes this malicious executable with SYSTEM privileges, allowing the attacker to run arbitrary code with the highest system-level access. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows a local attacker to escalate their privileges to SYSTEM level on the affected machine. This means the attacker can execute arbitrary code with the highest privileges, potentially leading to full control over the system, unauthorized access to sensitive data, installation of persistent malware, and disruption of services. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect the unquoted service path vulnerability by running the following command to list auto-start services with unquoted paths outside the Windows directory: wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\" | findstr /i /v """. Then verify the SonarQube service configuration and privileges using: sc qc SonarQube. This will show if the service runs as LocalSystem and if the binary path is unquoted, indicating vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict write permissions to the directory containing the SonarQube service executable to prevent placing a malicious wrapper.exe. 2) Quote the service executable path properly to prevent exploitation of unquoted service paths. 3) Restart the SonarQube service after applying fixes. 4) Monitor and audit service directories for unauthorized executables. If possible, update to a fixed version or apply vendor patches addressing the unquoted service path vulnerability. [1]