Sonatype has disclosed two significant vulnerabilities in a critical security update released on November 13, 2024, affecting their Nexus Repository Manager 2.x versions.
The two vulnerabilities pose serious risks to organizations using the affected software versions.
While these two vulnerabilities were discovered and reported by Michael Stepankin (artsploit) through Sonatype’s Bug Bounty Program.
The vulnerabilities are identified as “CVE-2024-5082” and “CVE-2024-5083.”
Sonatype has stated that they are not aware of any active exploits in the wild but urges users to take immediate action due to the severity of the vulnerabilities.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
Flaw Profile
Remote Code Execution Vulnerability (CVE-2024-5082)
The first vulnerability, CVE-2024-5082, is a remote code execution (RCE) flaw that affects all Sonatype Nexus Repository Manager 2.x OSS/Pro versions up to and including 2.15.1. This critical issue allows an attacker to execute arbitrary code by publishing a specially crafted Maven artifact.
Attack Vector: An attacker with network access and minimal permissions to publish a Maven artifact can exploit this vulnerability.
Mitigation: Sonatype strongly recommends upgrading to Nexus Repository version 2.15.2, which addresses the vulnerability. For organizations unable to upgrade immediately, a custom Web Application Firewall (WAF) rule can be implemented as a temporary mitigation measure.
Stored Cross-Site Scripting Vulnerability (CVE-2024-5083)
The second vulnerability, CVE-2024-5083, is a stored cross-site scripting (XSS) flaw affecting the same versions as the RCE vulnerability. This issue allows an attacker to embed malicious scripts within Maven artifacts, which can be executed when an administrator views the artifact’s content.
Impact: If exploited, this vulnerability could lead to unauthorized actions being performed with administrator privileges.
Mitigation: Similar to the RCE vulnerability, upgrading to version 2.15.2 is the recommended solution. Alternatively, organizations using a reverse proxy can implement specific Nginx configurations to mitigate the risk.
Sonatype provided the following recommendations:-
- Upgrade to Nexus Repository Manager 3, as version 2.x is under Extended Maintenance.
- If migration is not possible, upgrade to version 2.15.2 immediately.
- Implement provided WAF rules or Nginx configurations for immediate mitigation if upgrading is not feasible.
- Assess the potential impact on your organization and take appropriate action.
The disclosure of these vulnerabilities underscores the importance of maintaining up-to-date software and implementing robust security measures. Organizations using Sonatype Nexus Repository Manager 2.x should prioritize addressing these issues to protect their systems from potential attacks.
Sonatype’s proactive approach in disclosing and providing mitigation strategies demonstrates their commitment to user security and responsible vulnerability management.
Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.