Date: March 6, 2024
Affected Versions:
Sonatype IQ Server version 143 up to and including version 170.
Fixed in Version:
Sonatype IQ Server version 171 and later.
Risk:
Medium - 5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Summary:
Sonatype discovered a path traversal vulnerability in Sonatype IQ Server via our own internal testing of the product. This vulnerability could allow remotely authenticated attackers to overwrite or delete files via a specially crafted request.
We are highly recommending upgrading to Sonatype IQ Server version 172 or higher from the following location:
Download latest version of Sonatype IQ Server
For detailed information on upgrading, refer to Upgrading the IQ Server
Support:
If you run into any problems or have any questions/concerns, please contact us by filing a ticket at https://support.sonatype.com.
Frequently asked questions:
Q: What is the risk associated with this vulnerability?
A: A remotely authenticated user(attacker) could potentially overwrite or delete files, using a specially crafted request.
Q: What preconditions must be met in order to be vulnerable?
A: The attacker must have proper credentials for authentication.
Q: Are there any implications associated with this advisory itself?
A: We have intentionally limited the information to the minimum necessary details, to prevent adverse impacts. This slows down a would-be attacker. We are advising all users of Sonatype IQ Server to immediately assess their impact and take appropriate action.
Q: Why is Sonatype making this information available?
A: This is a part of our concerted and proactive vulnerability disclosure process to ensure that our outreach activities achieve the most rapid remediation possible.