cbcvebase.
CVE-2024-4956
published 2024-05-16

CVE-2024-4956: Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1.

PriorityP270high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
18.25%
96.9th percentile
Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1.

Affected

1 ranges
VendorProductVersion rangeFixed in
sonatypenexus_repository3.0.0 – 3.68.0

Detection & IOCsextracted from sources · hover to see the quote

url/%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/passwd
url/%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/shadow
url{{BaseURL}}/%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
yara
regex('root:.*:0:0:', body) AND contains(header, "application/octet-stream") AND status_code == 200
  • Successful exploitation returns HTTP 200 with Content-Type header 'application/octet-stream' and body matching regex 'root:.*:0:0:' (contents of /etc/passwd).
  • The exploit fingerprints vulnerable Nexus instances via Google Dork: header="Server: Nexus/3.53.0-01 (OSS)" and FOFA queries on title="Nexus Repository Manager".
  • FOFA queries used to identify exposed Nexus instances: title="Nexus Repository Manager" or title="nexus repository manager".
  • The exploit filters out false positives by checking that the response does NOT contain the string 'nexus:x:200:200:Nexus Repository Manager user:/opt/sonatype/nexus:/bin/false', 'Not Found', or '400 Bad Request', but DOES contain 'root'.
  • Attack is unauthenticated and uses URL-encoded path traversal sequences (multiple leading %2F slashes followed by ..%2F sequences) in a plain HTTP GET request — no special headers or authentication required.
  • ·The vulnerability is fixed in Sonatype Nexus Repository 3 version 3.68.1 and later; instances running versions prior to 3.68.1 are affected.
  • ·The exploit was specifically tested against version 3.53.0-01 on Ubuntu 20.04, but the vulnerability affects the broader Nexus Repository 3 product line below 3.68.1.
  • ·EPSS score of 0.94028 (99.9th percentile) indicates extremely high likelihood of exploitation in the wild; treat as actively exploited.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.