Sonatype Nexus Security Advisory
Date: May 16, 2024
Affected Versions: All previous Sonatype Nexus Repository 3.x OSS/Pro versions up to and including 3.68.0
Fixed in Version: Sonatype Nexus Repository OSS/Pro version 3.68.1
Summary
A vulnerability has been discovered in Nexus Repository 3 requiring immediate action. The vulnerability allows for an attacker to craft a URL to return any file as a download, including system files outside of Nexus Repository application scope, without any authentication.
We have mitigated the issue with an internal code change. Alternative mitigations if you cannot immediately upgrade can be found at https://support.sonatype.com/hc/en-us/articles/29412417068819.
This vulnerability was identified by an external researcher and has been verified by our security team.
At the time of initial announcement, Sonatype was not aware of any active exploits taking advantage of this issue.
Updates
2024-05-24
Sonatype has become aware of proof-of-concept exploitation examples in the public domain.
Recommendation
We are highly recommending all affected instances of Sonatype Nexus Repository 3 be upgraded to Nexus Repository version 3.68.1 or later. Download the latest version from the following location:
https://help.sonatype.com/repomanager3/download
Out of an abundance of caution we recommend rotating credentials to services connected to Nexus Repository or its host.
Immediate Mitigation Options
Upgrading Nexus Repository is the recommended approach for eliminating this vulnerability. However, immediate mitigation options are available for deployments that cannot upgrade immediately:
https://support.sonatype.com/hc/en-us/articles/29412417068819
Credit
This issue was discovered and reported responsibly by Erick Fernando Xavier de Oliveira (erickfernandox) via Sonatype’s Bug Bounty Program.
Support
If you run into any problems, or have any questions/concerns, please contact us by filing a ticket at https://support.sonatype.com.
Frequently Asked Questions
Q: What is the risk associated with this vulnerability?
A: An attacker can craft a URL to return any file as a download, including system files outside of Sonatype Nexus Repository 3 application scope.
Q: What preconditions must be met in order to be vulnerable?
A: An attacker must have network access to the Sonatype Nexus Repository 3 instance.
Q: Are there implications associated with this advisory itself?
A: Disclosure unfortunately means bad actors may try to take advantage. While we have initially limited the information to the minimum details necessary for users to affect an appropriate fix, this merely slows down a would-be attacker. As such, we are advising all organisations using Nexus Repository to immediately assess their individual impact and take appropriate action in response.
Q: Where can I obtain more information associated with the vulnerability?
A: At this time, and in the interest of best protecting our user community, we are limiting the information released to that absolutely required in order to assess impact and affect remediation. Please contact support for more information.
Q: Why is Sonatype making this information available?
A: This is part of a responsible disclosure process. Given that Sonatype Nexus Repository 3 is an open-source project with widespread usage, notifying the user base will invariably lead to broad dissemination. We are taking a concerted and proactive approach in our outreach activities in an effort to achieve the most rapid remediation possible.