CVE-2024–4956: UNAUTHENTICATED PATH TRAVERSAL IN NEXUS REPOSITORY MANAGER 3

The Nexus Repository Manager, a crucial tool for managing, storing, and distributing development artifacts, has recently been found to have a significant security flaw. This vulnerability, known as a path traversal issue, affects version 3 of the Nexus Repository Manager, specifically releases prior to 3.68.1.

In today’s blog we will see what components are affected, how we can exploit this vulnerability and what are the possible remediation.

Affected Components/versions:

How to hunt, reproduce and verify the vulnerability?

Step 1: Check for the query in shodan (http.html:”Nexus Repository”) to get the list of IPs where the affected components of Nexus are hosted.

Step 2: Pick any of the target and open the instance in the browser. Make sure you intercept the request in Burp Suite.

Step 3: Forward the request to repeater and make the changes as shown in the screenshot. (Path traversal in URL: /%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/passwd)

Step 4: Observe the response corresponding to the crafted request. It has been observed that the unauthorised user is able to read the local file data without any authentication or authorisation.

Remediation/Patches available?

Want to learn more and dig deeper?

I would suggest to go through the below-mentioned articles.

CVE-2024-4956 Nexus Repository 3 - Path Traversal - 2024-05-16

Path Traversal in Sonatype Nexus Repository 3 (CVE-2024-4956) - vsociety

GitHub - TypicalModMaker/CVE-2024-4956: Proof-Of-Concept (POC) for CVE-2024-4956

Let’s connect:

Linkedin: https://www.linkedin.com/in/vaibhav-kumar-srivastava-378742a9/

STAY CURIOUS STAY PROTECTED !!