Quoting the Snyk Security Research Team (kudos for having found the vulnerability):
The vulnerability (Which has manifested itself in other products in the past, such projects as Apache OpenMeetings and Jetspeed, and libraries as Rubyzip) is an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder. Of course if an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.
This vulnerability is present in the class org.sonar.api.utils.ZipUtils. It is fixed in SonarQube 6.7.4 LTS and in latest version 7.2.
Thanks to the Snyk Security Research Team for communicating this vulnerability to us!