Search criteria
49 vulnerabilities by Sonatype
CVE-2025-13488 (GCVE-0-2025-13488)
Vulnerability from cvelistv5 – Published: 2025-12-04 18:16 – Updated: 2025-12-04 20:00
VLAI?
Summary
Due to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This may allow an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting (XSS) vulnerability with user context.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Sonatype | Nexus Repository |
Affected:
3.83.0 , ≤ 3.86.2
(semver)
cpe:2.3:a:sonatype:nexus_repository_manager:3.83.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.83.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.83.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.84.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.84.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.85.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.86.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.86.2:*:*:*:*:*:*:* |
Credits
Seif Elsallamy / @0x21SAFE
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13488",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-04T18:55:03.160324Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T20:00:41.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sonatype:nexus_repository_manager:3.83.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.83.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.83.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.84.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.84.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.85.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.86.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.86.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Nexus Repository",
"vendor": "Sonatype",
"versions": [
{
"lessThanOrEqual": "3.86.2",
"status": "affected",
"version": "3.83.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Seif Elsallamy / @0x21SAFE"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDue to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This may allow an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting (\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eXSS\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e) vulnerability with user context.\u003c/span\u003e"
}
],
"value": "Due to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This may allow an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting (XSS) vulnerability with user context."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T18:16:56.582Z",
"orgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"shortName": "Sonatype"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://help.sonatype.com/en/sonatype-nexus-repository-3-87-0-release-notes.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://support.sonatype.com/hc/en-us/articles/46896142768019"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Nexus Repository 3 - Stored Cross-Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"assignerShortName": "Sonatype",
"cveId": "CVE-2025-13488",
"datePublished": "2025-12-04T18:16:56.582Z",
"dateReserved": "2025-11-20T20:16:15.824Z",
"dateUpdated": "2025-12-04T20:00:41.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9868 (GCVE-0-2025-9868)
Vulnerability from cvelistv5 – Published: 2025-10-08 17:07 – Updated: 2025-10-08 17:23
VLAI?
Summary
Server-Side Request Forgery (SSRF) in the Remote Browser Plugin in Sonatype Nexus Repository 2.x up to and including 2.15.2 allows unauthenticated remote attackers to exfiltrate proxy repository credentials via crafted HTTP requests.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Sonatype | Nexus Repository |
Affected:
2.0.0 , ≤ 2.15.2
(semver)
cpe:2.3:a:sonatype:nexus_repository_manager:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.2.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.4.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.5.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.5.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.6.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.6.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.6.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.6.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.6.4:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.7.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.7.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.7.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.8.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.8.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.9.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.9.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.9.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.10.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.11.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.11.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.11.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.11.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.11.4:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.12.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.12.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.13.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.4:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.5:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.6:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.7:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.8:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.9:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.10:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.11:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.12:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.13:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.14:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.15:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.16:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.17:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.18:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.19:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.20:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.21:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.15.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.15.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.15.2:*:*:*:*:*:*:* |
Credits
Michael Stepankin at GitHub Security Lab
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9868",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-08T17:23:28.489309Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T17:23:36.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.1.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.6.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.6.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.6.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.7.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.9.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.9.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.9.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.11.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.11.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.11.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.11.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.11.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.12.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.13.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.5:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.6:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.7:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.8:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.9:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.10:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.11:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.12:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.13:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.14:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.15:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.16:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.17:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.18:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.19:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.20:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.21:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.15.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.15.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.15.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Nexus Repository",
"vendor": "Sonatype",
"versions": [
{
"lessThanOrEqual": "2.15.2",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Stepankin at GitHub Security Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) in the Remote Browser Plugin in Sonatype Nexus Repository 2.x up to and including 2.15.2 allows unauthenticated remote attackers to exfiltrate proxy repository credentials via crafted HTTP requests."
}
],
"value": "Server-Side Request Forgery (SSRF) in the Remote Browser Plugin in Sonatype Nexus Repository 2.x up to and including 2.15.2 allows unauthenticated remote attackers to exfiltrate proxy repository credentials via crafted HTTP requests."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T17:07:45.543Z",
"orgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"shortName": "Sonatype"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.sonatype.com/hc/en-us/articles/45363201583635"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Nexus Repository 2 - SSRF Vulnerability in Remote Browser Plugin",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"assignerShortName": "Sonatype",
"cveId": "CVE-2025-9868",
"datePublished": "2025-10-08T17:07:45.543Z",
"dateReserved": "2025-09-02T19:35:28.000Z",
"dateUpdated": "2025-10-08T17:23:36.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5082 (GCVE-0-2024-5082)
Vulnerability from cvelistv5 – Published: 2024-11-14 02:58 – Updated: 2024-11-21 16:12
VLAI?
Summary
A Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2.
This issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1.
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Sonatype | Nexus Repository |
Affected:
2.0.0 , ≤ 2.15.1
(semver)
cpe:2.3:a:sonatype:nexus_repository_manager:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.2.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.4.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.5.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.5.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.6.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.6.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.6.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.6.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.6.4:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.7.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.7.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.7.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.8.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.8.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.9.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.9.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.9.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.10.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.11.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.11.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.11.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.11.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.11.4:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.12.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.12.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.13.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.4:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.5:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.6:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.7:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.8:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.9:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.10:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.11:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.12:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.13:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.14:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.15:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.16:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.17:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.18:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.19:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.20:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.21:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.15.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.15.1:*:*:*:*:*:*:* |
Credits
Michael Stepankin at GitHub Security Lab
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T15:42:32.285305Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T16:12:13.436Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.1.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.6.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.6.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.6.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.7.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.9.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.9.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.9.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.11.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.11.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.11.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.11.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.11.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.12.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.13.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.5:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.6:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.7:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.8:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.9:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.10:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.11:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.12:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.13:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.14:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.15:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.16:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.17:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.18:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.19:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.20:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.21:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.15.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.15.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Nexus Repository",
"vendor": "Sonatype",
"versions": [
{
"lessThanOrEqual": "2.15.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Stepankin at GitHub Security Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1.\u003c/p\u003e"
}
],
"value": "A Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2.\u00a0\n\nThis issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T02:58:44.472Z",
"orgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"shortName": "Sonatype"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.sonatype.com/hc/en-us/articles/30694125380755"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Nexus Repository 2 - Remote Code Execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"assignerShortName": "Sonatype",
"cveId": "CVE-2024-5082",
"datePublished": "2024-11-14T02:58:44.472Z",
"dateReserved": "2024-05-17T19:53:08.215Z",
"dateUpdated": "2024-11-21T16:12:13.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5083 (GCVE-0-2024-5083)
Vulnerability from cvelistv5 – Published: 2024-11-14 01:31 – Updated: 2024-11-21 16:12
VLAI?
Summary
A stored Cross-site Scripting vulnerability has been discovered in Sonatype Nexus Repository 2
This issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Sonatype | Nexus Repository |
Affected:
2.0.0 , ≤ 2.15.1
(semver)
cpe:2.3:a:sonatype:nexus_repository_manager:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.1.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.2.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.4.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.5.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.5.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.6.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.6.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.6.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.6.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.6.4:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.7.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.7.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.7.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.8.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.8.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.9.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.9.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.9.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.10.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.11.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.11.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.11.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.11.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.11.4:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.12.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.12.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.13.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.4:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.5:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.6:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.7:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.8:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.9:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.10:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.11:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.12:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.13:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.14:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.15:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.16:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.17:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.18:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.19:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.20:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.14.21:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.15.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:2.15.1:*:*:*:*:*:*:* |
Credits
Michael Stepankin at GitHub Security Lab
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T15:44:29.737995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T16:12:30.873Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.1.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.6.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.6.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.6.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.7.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.9.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.9.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.9.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.11.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.11.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.11.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.11.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.11.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.12.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.13.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.5:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.6:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.7:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.8:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.9:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.10:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.11:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.12:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.13:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.14:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.15:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.16:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.17:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.18:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.19:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.20:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.14.21:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.15.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:2.15.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Nexus Repository",
"vendor": "Sonatype",
"versions": [
{
"lessThanOrEqual": "2.15.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Stepankin at GitHub Security Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA stored\u0026nbsp;Cross-site Scripting vulnerability has been discovered in Sonatype Nexus Repository 2\u003c/p\u003e\u003cp\u003eThis issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1.\u003c/p\u003e"
}
],
"value": "A stored\u00a0Cross-site Scripting vulnerability has been discovered in Sonatype Nexus Repository 2\n\nThis issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T01:31:20.538Z",
"orgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"shortName": "Sonatype"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.sonatype.com/hc/en-us/articles/30693989411987"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Nexus Repository 2 - Stored XSS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"assignerShortName": "Sonatype",
"cveId": "CVE-2024-5083",
"datePublished": "2024-11-14T01:31:20.538Z",
"dateReserved": "2024-05-17T19:53:34.732Z",
"dateUpdated": "2024-11-21T16:12:30.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5764 (GCVE-0-2024-5764)
Vulnerability from cvelistv5 – Published: 2024-10-23 14:47 – Updated: 2024-10-23 15:55
VLAI?
Summary
Use of Hard-coded Credentials vulnerability in Sonatype Nexus Repository has been discovered in the code responsible for encrypting any secrets stored in the Nexus Repository configuration database (SMTP or HTTP proxy credentials, user tokens, tokens, among others). The affected versions relied on a static hard-coded encryption passphrase. While it was possible for an administrator to define an alternate encryption passphrase, it could only be done at first boot and not updated.
This issue affects Nexus Repository: from 3.0.0 through 3.72.0.
Severity ?
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Sonatype | Nexus Repository |
Affected:
3.0.0 , ≤ 3.72.0
(semver)
cpe:2.3:a:sonatype:nexus_repository_manager:3.0.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.0.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.0.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.3.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.3.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.5.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.5.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.5.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.6.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.6.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.6.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.7.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.7.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.8.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.9.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.10.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.11.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.12.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.12.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.13.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.14.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.15.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.15.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.15.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.16.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.16.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.16.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.17.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.18.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.18.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.19.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.19.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.20.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.20.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.21.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.21.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.21.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.22.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.22.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.23.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.24.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.25.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.25.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.26.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.26.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.27.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.28.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.28.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.29.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.29.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.30.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.30.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.31.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.31.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.32.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.33.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.33.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.34.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.34.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.35.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.36.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.37.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.37.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.32.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.37.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.37.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.38.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.38.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.39.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.40.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.40.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.41.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.41.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.42.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.43.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.44.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.45.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.45.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.46.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.47.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.47.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.48.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.49.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.50.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.51.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.52.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.53.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.53.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.54.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.54.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.55.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.56.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.57.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.57.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.58.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.58.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.59.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.60.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.61.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.62.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.63.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.64.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.65.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.66.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.67.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.67.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.68.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.68.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.69.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.70.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.70.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.70.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.70.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.71.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.72.0:*:*:*:*:*:*:* |
Credits
Dylan Evans at/of Maveris, LLC
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5764",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:54:50.774189Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:55:05.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sonatype:nexus_repository_manager:3.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.6.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.9.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.11.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.12.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.13.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.14.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.15.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.15.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.15.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.16.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.16.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.16.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.17.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.18.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.18.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.19.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.19.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.20.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.20.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.21.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.21.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.21.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.22.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.22.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.23.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.24.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.25.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.25.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.26.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.26.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.27.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.28.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.28.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.29.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.29.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.30.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.30.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.31.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.31.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.32.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.33.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.33.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.34.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.34.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.35.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.36.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.37.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.37.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.32.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.37.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.37.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.38.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.38.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.39.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.40.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.40.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.41.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.41.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.42.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.43.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.44.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.45.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.45.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.46.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.47.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.47.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.48.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.49.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.50.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.51.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.52.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.53.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.53.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.54.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.54.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.55.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.56.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.57.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.57.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.58.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.58.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.59.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.60.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.61.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.62.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.63.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.64.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.65.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.66.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.67.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.67.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.68.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.68.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.69.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.70.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.70.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.70.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.70.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.71.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.72.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Nexus Repository",
"vendor": "Sonatype",
"versions": [
{
"lessThanOrEqual": "3.72.0",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dylan Evans at/of Maveris, LLC"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUse of Hard-coded Credentials vulnerability in Sonatype Nexus Repository has been discovered in the code responsible for encrypting any secrets stored in the Nexus Repository configuration database (SMTP or HTTP proxy credentials, user tokens, tokens, among others). The affected versions relied on a static hard-coded encryption passphrase. While it was possible for an administrator to define an alternate encryption passphrase, it could only be done at first boot and not updated.\u003c/p\u003e\u003cp\u003eThis issue affects Nexus Repository: from 3.0.0 through 3.72.0.\u003c/p\u003e"
}
],
"value": "Use of Hard-coded Credentials vulnerability in Sonatype Nexus Repository has been discovered in the code responsible for encrypting any secrets stored in the Nexus Repository configuration database (SMTP or HTTP proxy credentials, user tokens, tokens, among others). The affected versions relied on a static hard-coded encryption passphrase. While it was possible for an administrator to define an alternate encryption passphrase, it could only be done at first boot and not updated.\n\nThis issue affects Nexus Repository: from 3.0.0 through 3.72.0."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T14:47:55.783Z",
"orgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"shortName": "Sonatype"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.sonatype.com/hc/en-us/articles/34496708991507"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Nexus Repository 3 - Static hard-coded encryption passphrase used by default",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"assignerShortName": "Sonatype",
"cveId": "CVE-2024-5764",
"datePublished": "2024-10-23T14:47:55.783Z",
"dateReserved": "2024-06-07T20:20:30.499Z",
"dateUpdated": "2024-10-23T15:55:05.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4956 (GCVE-0-2024-4956)
Vulnerability from cvelistv5 – Published: 2024-05-16 15:31 – Updated: 2024-08-01 20:55
VLAI?
Summary
Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1.
Severity ?
7.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Sonatype | Nexus Repository |
Affected:
3.0.0 , ≤ 3.68.0
(semver)
cpe:2.3:a:sonatype:nexus_repository_manager:3.0.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.0.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.0.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.3.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.3.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.5.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.5.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.5.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.6.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.6.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.6.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.7.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.7.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.8.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.9.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.10.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.11.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.12.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.12.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.13.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.14.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.15.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.15.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.15.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.16.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.16.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.16.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.17.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.18.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.18.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.19.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.19.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.20.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.20.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.21.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.21.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.21.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.22.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.22.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.23.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.24.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.25.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.25.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.26.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.26.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.27.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.28.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.28.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.29.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.29.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.30.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.30.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.31.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.31.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.32.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.33.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.33.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.34.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.34.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.35.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.36.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.37.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.37.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.32.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.37.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.37.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.38.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.38.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.39.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.40.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.40.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.41.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.41.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.42.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.43.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.44.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.45.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.45.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.46.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.47.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.47.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.48.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.49.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.50.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.51.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.52.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.53.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.53.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.54.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.54.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.55.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.56.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.57.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.57.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.58.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.58.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.59.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.60.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.61.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.62.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.63.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.64.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.65.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.66.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.67.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.67.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.68.0:*:*:*:*:*:*:* |
Credits
Erick Fernando Xavier de Oliveira (erickfernandox)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4956",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-16T18:27:46.330240Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:53:05.938Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:10.367Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/29416509323923"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sonatype:nexus_repository_manager:3.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.6.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.9.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.11.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.12.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.13.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.14.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.15.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.15.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.15.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.16.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.16.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.16.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.17.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.18.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.18.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.19.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.19.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.20.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.20.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.21.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.21.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.21.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.22.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.22.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.23.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.24.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.25.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.25.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.26.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.26.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.27.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.28.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.28.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.29.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.29.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.30.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.30.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.31.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.31.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.32.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.33.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.33.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.34.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.34.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.35.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.36.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.37.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.37.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.32.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.37.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.37.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.38.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.38.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.39.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.40.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.40.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.41.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.41.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.42.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.43.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.44.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.45.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.45.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.46.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.47.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.47.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.48.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.49.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.50.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.51.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.52.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.53.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.53.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.54.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.54.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.55.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.56.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.57.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.57.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.58.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.58.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.59.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.60.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.61.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.62.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.63.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.64.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.65.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.66.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.67.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.67.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.68.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Nexus Repository",
"vendor": "Sonatype",
"versions": [
{
"lessThanOrEqual": "3.68.0",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erick Fernando Xavier de Oliveira (erickfernandox)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1."
}
],
"value": "Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-16T15:31:01.795Z",
"orgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"shortName": "Sonatype"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.sonatype.com/hc/en-us/articles/29416509323923"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Nexus Repository 3 - Path Traversal",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"assignerShortName": "Sonatype",
"cveId": "CVE-2024-4956",
"datePublished": "2024-05-16T15:31:01.795Z",
"dateReserved": "2024-05-15T17:17:46.044Z",
"dateUpdated": "2024-08-01T20:55:10.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1142 (GCVE-0-2024-1142)
Vulnerability from cvelistv5 – Published: 2024-03-06 20:08 – Updated: 2024-08-05 17:56
VLAI?
Summary
Path Traversal in Sonatype IQ Server from version 143 allows remote authenticated attackers to overwrite or delete files via a specially crafted request. Version 171 fixes this issue.
Severity ?
5.4 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:26:30.512Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/27034479038739-CVE-2024-1142-Sonatype-IQ-Server-Path-Traversal-2024-03-06"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T15:39:21.369981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T17:56:48.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "IQ Server",
"vendor": "Sonatype",
"versions": [
{
"lessThan": "171",
"status": "affected",
"version": "143",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Path Traversal in Sonatype IQ Server from version 143 allows remote authenticated attackers to overwrite or delete files via a specially crafted request. Version 171 fixes this issue."
}
],
"value": "Path Traversal in Sonatype IQ Server from version 143 allows remote authenticated attackers to overwrite or delete files via a specially crafted request. Version 171 fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-06T20:08:21.962Z",
"orgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"shortName": "Sonatype"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.sonatype.com/hc/en-us/articles/27034479038739-CVE-2024-1142-Sonatype-IQ-Server-Path-Traversal-2024-03-06"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Sonatype IQ Server - Path Traversal",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"assignerShortName": "Sonatype",
"cveId": "CVE-2024-1142",
"datePublished": "2024-03-06T20:08:21.962Z",
"dateReserved": "2024-02-01T02:16:58.949Z",
"dateUpdated": "2024-08-05T17:56:48.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-27907 (GCVE-0-2022-27907)
Vulnerability from cvelistv5 – Published: 2022-03-30 15:51 – Updated: 2024-08-03 05:41
VLAI?
Summary
Sonatype Nexus Repository Manager 3.x before 3.38.0 allows SSRF.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:41:11.001Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sonatype.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/5011047953555"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sonatype Nexus Repository Manager 3.x before 3.38.0 allows SSRF."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-30T15:51:37",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sonatype.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sonatype.com/hc/en-us/articles/5011047953555"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-27907",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sonatype Nexus Repository Manager 3.x before 3.38.0 allows SSRF."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://sonatype.com",
"refsource": "MISC",
"url": "https://sonatype.com"
},
{
"name": "https://support.sonatype.com/hc/en-us/articles/5011047953555",
"refsource": "MISC",
"url": "https://support.sonatype.com/hc/en-us/articles/5011047953555"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-27907",
"datePublished": "2022-03-30T15:51:37",
"dateReserved": "2022-03-25T00:00:00",
"dateUpdated": "2024-08-03T05:41:11.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43961 (GCVE-0-2021-43961)
Vulnerability from cvelistv5 – Published: 2022-03-17 21:13 – Updated: 2024-08-04 04:10
VLAI?
Summary
Sonatype Nexus Repository Manager 3.36.0 allows HTML Injection.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:17.007Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.sonatype.org/secure/ReleaseNote.jspa"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/4412183372307"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sonatype Nexus Repository Manager 3.36.0 allows HTML Injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-17T21:13:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.sonatype.org/secure/ReleaseNote.jspa"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sonatype.com/hc/en-us/articles/4412183372307"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-43961",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sonatype Nexus Repository Manager 3.36.0 allows HTML Injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.sonatype.org/secure/ReleaseNote.jspa",
"refsource": "MISC",
"url": "https://issues.sonatype.org/secure/ReleaseNote.jspa"
},
{
"name": "https://support.sonatype.com/hc/en-us/articles/4412183372307",
"refsource": "MISC",
"url": "https://support.sonatype.com/hc/en-us/articles/4412183372307"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43961",
"datePublished": "2022-03-17T21:13:13",
"dateReserved": "2021-11-17T00:00:00",
"dateUpdated": "2024-08-04T04:10:17.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43293 (GCVE-0-2021-43293)
Vulnerability from cvelistv5 – Published: 2021-11-04 17:51 – Updated: 2024-08-04 03:55
VLAI?
Summary
Sonatype Nexus Repository Manager 3.x before 3.36.0 allows a remote authenticated attacker to potentially perform network enumeration via Server Side Request Forgery (SSRF).
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:28.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/4409326330003"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sonatype Nexus Repository Manager 3.x before 3.36.0 allows a remote authenticated attacker to potentially perform network enumeration via Server Side Request Forgery (SSRF)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-04T17:51:51",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sonatype.com/hc/en-us/articles/4409326330003"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-43293",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sonatype Nexus Repository Manager 3.x before 3.36.0 allows a remote authenticated attacker to potentially perform network enumeration via Server Side Request Forgery (SSRF)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com/hc/en-us/articles/4409326330003",
"refsource": "CONFIRM",
"url": "https://support.sonatype.com/hc/en-us/articles/4409326330003"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43293",
"datePublished": "2021-11-04T17:51:51",
"dateReserved": "2021-11-02T00:00:00",
"dateUpdated": "2024-08-04T03:55:28.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42568 (GCVE-0-2021-42568)
Vulnerability from cvelistv5 – Published: 2021-11-02 12:42 – Updated: 2024-08-04 03:38
VLAI?
Summary
Sonatype Nexus Repository Manager 3.x through 3.35.0 allows attackers to access the SSL Certificates Loading function via a low-privileged account.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:38:49.389Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sonatype.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/4408801690515-CVE-2021-42568-Nexus-Repository-Manager-3-Incorrect-Access-Control-October-27-2021"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sonatype Nexus Repository Manager 3.x through 3.35.0 allows attackers to access the SSL Certificates Loading function via a low-privileged account."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-02T12:42:39",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sonatype.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sonatype.com/hc/en-us/articles/4408801690515-CVE-2021-42568-Nexus-Repository-Manager-3-Incorrect-Access-Control-October-27-2021"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-42568",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sonatype Nexus Repository Manager 3.x through 3.35.0 allows attackers to access the SSL Certificates Loading function via a low-privileged account."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com",
"refsource": "MISC",
"url": "https://support.sonatype.com"
},
{
"name": "https://support.sonatype.com/hc/en-us/articles/4408801690515-CVE-2021-42568-Nexus-Repository-Manager-3-Incorrect-Access-Control-October-27-2021",
"refsource": "MISC",
"url": "https://support.sonatype.com/hc/en-us/articles/4408801690515-CVE-2021-42568-Nexus-Repository-Manager-3-Incorrect-Access-Control-October-27-2021"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-42568",
"datePublished": "2021-11-02T12:42:39",
"dateReserved": "2021-10-18T00:00:00",
"dateUpdated": "2024-08-04T03:38:49.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-40143 (GCVE-0-2021-40143)
Vulnerability from cvelistv5 – Published: 2021-09-07 19:28 – Updated: 2024-08-04 02:27
VLAI?
Summary
Sonatype Nexus Repository 3.x through 3.33.1-01 is vulnerable to an HTTP header injection. By sending a crafted HTTP request, a remote attacker may disclose sensitive information or request external resources from a vulnerable instance.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:27:31.862Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.sonatype.org/secure/ReleaseNote.jspa"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/4405941762579"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sonatype Nexus Repository 3.x through 3.33.1-01 is vulnerable to an HTTP header injection. By sending a crafted HTTP request, a remote attacker may disclose sensitive information or request external resources from a vulnerable instance."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-07T19:28:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.sonatype.org/secure/ReleaseNote.jspa"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sonatype.com/hc/en-us/articles/4405941762579"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-40143",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sonatype Nexus Repository 3.x through 3.33.1-01 is vulnerable to an HTTP header injection. By sending a crafted HTTP request, a remote attacker may disclose sensitive information or request external resources from a vulnerable instance."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.sonatype.org/secure/ReleaseNote.jspa",
"refsource": "MISC",
"url": "https://issues.sonatype.org/secure/ReleaseNote.jspa"
},
{
"name": "https://support.sonatype.com/hc/en-us/articles/4405941762579",
"refsource": "CONFIRM",
"url": "https://support.sonatype.com/hc/en-us/articles/4405941762579"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-40143",
"datePublished": "2021-09-07T19:28:53",
"dateReserved": "2021-08-25T00:00:00",
"dateUpdated": "2024-08-04T02:27:31.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37152 (GCVE-0-2021-37152)
Vulnerability from cvelistv5 – Published: 2021-08-10 13:25 – Updated: 2024-08-04 01:16
VLAI?
Summary
Multiple XSS issues exist in Sonatype Nexus Repository Manager 3 before 3.33.0. An authenticated attacker with the ability to add HTML files to a repository could redirect users to Nexus Repository Manager’s pages with code modifications.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:16:02.865Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sonatype.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/4404115639827"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple XSS issues exist in Sonatype Nexus Repository Manager 3 before 3.33.0. An authenticated attacker with the ability to add HTML files to a repository could redirect users to Nexus Repository Manager\u2019s pages with code modifications."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-10T13:25:43",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sonatype.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sonatype.com/hc/en-us/articles/4404115639827"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-37152",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple XSS issues exist in Sonatype Nexus Repository Manager 3 before 3.33.0. An authenticated attacker with the ability to add HTML files to a repository could redirect users to Nexus Repository Manager\u2019s pages with code modifications."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com",
"refsource": "MISC",
"url": "https://support.sonatype.com"
},
{
"name": "https://support.sonatype.com/hc/en-us/articles/4404115639827",
"refsource": "MISC",
"url": "https://support.sonatype.com/hc/en-us/articles/4404115639827"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-37152",
"datePublished": "2021-08-10T13:25:43",
"dateReserved": "2021-07-21T00:00:00",
"dateUpdated": "2024-08-04T01:16:02.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-34553 (GCVE-0-2021-34553)
Vulnerability from cvelistv5 – Published: 2021-06-17 23:41 – Updated: 2024-08-04 00:12
VLAI?
Summary
Sonatype Nexus Repository Manager 3.x before 3.31.0 allows a remote authenticated attacker to get a list of blob files and read the content of a blob file (via a GET request) without having been granted access.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:12:50.380Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/4402433828371"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sonatype Nexus Repository Manager 3.x before 3.31.0 allows a remote authenticated attacker to get a list of blob files and read the content of a blob file (via a GET request) without having been granted access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-17T23:41:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sonatype.com/hc/en-us/articles/4402433828371"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-34553",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sonatype Nexus Repository Manager 3.x before 3.31.0 allows a remote authenticated attacker to get a list of blob files and read the content of a blob file (via a GET request) without having been granted access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com/hc/en-us/articles/4402433828371",
"refsource": "CONFIRM",
"url": "https://support.sonatype.com/hc/en-us/articles/4402433828371"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-34553",
"datePublished": "2021-06-17T23:41:27",
"dateReserved": "2021-06-10T00:00:00",
"dateUpdated": "2024-08-04T00:12:50.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29159 (GCVE-0-2021-29159)
Vulnerability from cvelistv5 – Published: 2021-04-28 13:14 – Updated: 2024-08-03 22:02
VLAI?
Summary
A cross-site scripting (XSS) vulnerability has been discovered in Nexus Repository Manager 3.x before 3.30.1. An attacker with a local account can create entities with crafted properties that, when viewed by an administrator, can execute arbitrary JavaScript in the context of the NXRM application.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:50.863Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/categories/201980768-Welcome-to-the-Sonatype-Support-Knowledge-Base"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/1500005031082"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability has been discovered in Nexus Repository Manager 3.x before 3.30.1. An attacker with a local account can create entities with crafted properties that, when viewed by an administrator, can execute arbitrary JavaScript in the context of the NXRM application."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-28T13:14:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sonatype.com/hc/en-us/categories/201980768-Welcome-to-the-Sonatype-Support-Knowledge-Base"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sonatype.com/hc/en-us/articles/1500005031082"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29159",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-site scripting (XSS) vulnerability has been discovered in Nexus Repository Manager 3.x before 3.30.1. An attacker with a local account can create entities with crafted properties that, when viewed by an administrator, can execute arbitrary JavaScript in the context of the NXRM application."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com/hc/en-us/categories/201980768-Welcome-to-the-Sonatype-Support-Knowledge-Base",
"refsource": "MISC",
"url": "https://support.sonatype.com/hc/en-us/categories/201980768-Welcome-to-the-Sonatype-Support-Knowledge-Base"
},
{
"name": "https://support.sonatype.com/hc/en-us/articles/1500005031082",
"refsource": "MISC",
"url": "https://support.sonatype.com/hc/en-us/articles/1500005031082"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29159",
"datePublished": "2021-04-28T13:14:41",
"dateReserved": "2021-03-25T00:00:00",
"dateUpdated": "2024-08-03T22:02:50.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30635 (GCVE-0-2021-30635)
Vulnerability from cvelistv5 – Published: 2021-04-27 02:52 – Updated: 2024-08-03 22:40
VLAI?
Summary
Sonatype Nexus Repository Manager 3.x before 3.30.1 allows a remote attacker to get a list of files and directories that exist in a UI-related folder via directory traversal (no customer-specific data is exposed).
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:40:31.741Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/1500006879561"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sonatype Nexus Repository Manager 3.x before 3.30.1 allows a remote attacker to get a list of files and directories that exist in a UI-related folder via directory traversal (no customer-specific data is exposed)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-27T02:54:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sonatype.com/hc/en-us/articles/1500006879561"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30635",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sonatype Nexus Repository Manager 3.x before 3.30.1 allows a remote attacker to get a list of files and directories that exist in a UI-related folder via directory traversal (no customer-specific data is exposed)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com/hc/en-us/articles/1500006879561",
"refsource": "MISC",
"url": "https://support.sonatype.com/hc/en-us/articles/1500006879561"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-30635",
"datePublished": "2021-04-27T02:52:06",
"dateReserved": "2021-04-13T00:00:00",
"dateUpdated": "2024-08-03T22:40:31.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29158 (GCVE-0-2021-29158)
Vulnerability from cvelistv5 – Published: 2021-04-23 20:34 – Updated: 2024-08-03 22:02
VLAI?
Summary
Sonatype Nexus Repository Manager 3 Pro up to and including 3.30.0 has Incorrect Access Control.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.119Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/categories/201980768-Welcome-to-the-Sonatype-Support-Knowledge-Base"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/1500006126462"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sonatype Nexus Repository Manager 3 Pro up to and including 3.30.0 has Incorrect Access Control."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T20:34:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sonatype.com/hc/en-us/categories/201980768-Welcome-to-the-Sonatype-Support-Knowledge-Base"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sonatype.com/hc/en-us/articles/1500006126462"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29158",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sonatype Nexus Repository Manager 3 Pro up to and including 3.30.0 has Incorrect Access Control."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com/hc/en-us/categories/201980768-Welcome-to-the-Sonatype-Support-Knowledge-Base",
"refsource": "MISC",
"url": "https://support.sonatype.com/hc/en-us/categories/201980768-Welcome-to-the-Sonatype-Support-Knowledge-Base"
},
{
"name": "https://support.sonatype.com/hc/en-us/articles/1500006126462",
"refsource": "CONFIRM",
"url": "https://support.sonatype.com/hc/en-us/articles/1500006126462"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29158",
"datePublished": "2021-04-23T20:34:00",
"dateReserved": "2021-03-25T00:00:00",
"dateUpdated": "2024-08-03T22:02:51.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-29436 (GCVE-0-2020-29436)
Vulnerability from cvelistv5 – Published: 2020-12-17 01:53 – Updated: 2024-08-04 16:55
VLAI?
Summary
Sonatype Nexus Repository Manager 3.x before 3.29.0 allows a user with admin privileges to configure the system to gain access to content outside of NXRM via an XXE vulnerability. Fixed in version 3.29.0.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:55:09.260Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/1500000415082-CVE-2020-29436-Nexus-Repository-Manager-3-XML-External-Entities-injection-2020-12-15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sonatype Nexus Repository Manager 3.x before 3.29.0 allows a user with admin privileges to configure the system to gain access to content outside of NXRM via an XXE vulnerability. Fixed in version 3.29.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-17T01:53:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sonatype.com/hc/en-us/articles/1500000415082-CVE-2020-29436-Nexus-Repository-Manager-3-XML-External-Entities-injection-2020-12-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-29436",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sonatype Nexus Repository Manager 3.x before 3.29.0 allows a user with admin privileges to configure the system to gain access to content outside of NXRM via an XXE vulnerability. Fixed in version 3.29.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com/hc/en-us/articles/1500000415082-CVE-2020-29436-Nexus-Repository-Manager-3-XML-External-Entities-injection-2020-12-15",
"refsource": "CONFIRM",
"url": "https://support.sonatype.com/hc/en-us/articles/1500000415082-CVE-2020-29436-Nexus-Repository-Manager-3-XML-External-Entities-injection-2020-12-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-29436",
"datePublished": "2020-12-17T01:53:13",
"dateReserved": "2020-11-30T00:00:00",
"dateUpdated": "2024-08-04T16:55:09.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15012 (GCVE-0-2020-15012)
Vulnerability from cvelistv5 – Published: 2020-10-12 20:35 – Updated: 2024-08-04 13:00
VLAI?
Summary
A Directory Traversal issue was discovered in Sonatype Nexus Repository Manager 2.x before 2.14.19. A user that requests a crafted path can traverse up the file system to get access to content on disk (that the user running nxrm also has access to).
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:00:52.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360051068253"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-10-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A Directory Traversal issue was discovered in Sonatype Nexus Repository Manager 2.x before 2.14.19. A user that requests a crafted path can traverse up the file system to get access to content on disk (that the user running nxrm also has access to)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-12T20:35:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360051068253"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15012",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Directory Traversal issue was discovered in Sonatype Nexus Repository Manager 2.x before 2.14.19. A user that requests a crafted path can traverse up the file system to get access to content on disk (that the user running nxrm also has access to)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com/hc/en-us/articles/360051068253",
"refsource": "CONFIRM",
"url": "https://support.sonatype.com/hc/en-us/articles/360051068253"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15012",
"datePublished": "2020-10-12T20:35:01",
"dateReserved": "2020-06-24T00:00:00",
"dateUpdated": "2024-08-04T13:00:52.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24622 (GCVE-0-2020-24622)
Vulnerability from cvelistv5 – Published: 2020-08-25 18:17 – Updated: 2024-08-04 15:19
VLAI?
Summary
In Sonatype Nexus Repository 3.26.1, an S3 secret key can be exposed by an admin user.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:08.569Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.sonatype.org/browse/NEXUS-25019"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360053516793"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Sonatype Nexus Repository 3.26.1, an S3 secret key can be exposed by an admin user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-16T17:55:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.sonatype.org/browse/NEXUS-25019"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360053516793"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-24622",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Sonatype Nexus Repository 3.26.1, an S3 secret key can be exposed by an admin user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.sonatype.org/browse/NEXUS-25019",
"refsource": "MISC",
"url": "https://issues.sonatype.org/browse/NEXUS-25019"
},
{
"name": "https://support.sonatype.com/hc/en-us/articles/360053516793",
"refsource": "CONFIRM",
"url": "https://support.sonatype.com/hc/en-us/articles/360053516793"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24622",
"datePublished": "2020-08-25T18:17:49",
"dateReserved": "2020-08-25T00:00:00",
"dateUpdated": "2024-08-04T15:19:08.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15868 (GCVE-0-2020-15868)
Vulnerability from cvelistv5 – Published: 2020-08-12 21:20 – Updated: 2024-08-04 13:30
VLAI?
Summary
Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:30:23.187Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360052192533"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-08-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-12T21:20:40",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360052192533"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15868",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com/hc/en-us/articles/360052192533",
"refsource": "CONFIRM",
"url": "https://support.sonatype.com/hc/en-us/articles/360052192533"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15868",
"datePublished": "2020-08-12T21:20:40",
"dateReserved": "2020-07-21T00:00:00",
"dateUpdated": "2024-08-04T13:30:23.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15871 (GCVE-0-2020-15871)
Vulnerability from cvelistv5 – Published: 2020-07-31 19:59 – Updated: 2024-08-04 13:30
VLAI?
Summary
Sonatype Nexus Repository Manager OSS/Pro version before 3.25.1 allows Remote Code Execution.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:30:23.195Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sonatype.com"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360052192693"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sonatype Nexus Repository Manager OSS/Pro version before 3.25.1 allows Remote Code Execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-31T19:59:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sonatype.com"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360052192693"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15871",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sonatype Nexus Repository Manager OSS/Pro version before 3.25.1 allows Remote Code Execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com",
"refsource": "MISC",
"url": "https://support.sonatype.com"
},
{
"name": "https://support.sonatype.com/hc/en-us/articles/360052192693",
"refsource": "CONFIRM",
"url": "https://support.sonatype.com/hc/en-us/articles/360052192693"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15871",
"datePublished": "2020-07-31T19:59:01",
"dateReserved": "2020-07-21T00:00:00",
"dateUpdated": "2024-08-04T13:30:23.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15869 (GCVE-0-2020-15869)
Vulnerability from cvelistv5 – Published: 2020-07-31 19:49 – Updated: 2024-08-04 13:30
VLAI?
Summary
Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (issue 1 of 2).
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:30:22.728Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sonatype.com"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360051424554"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (issue 1 of 2)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-31T19:56:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sonatype.com"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360051424554"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15869",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (issue 1 of 2)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com",
"refsource": "MISC",
"url": "https://support.sonatype.com"
},
{
"name": "https://support.sonatype.com/hc/en-us/articles/360051424554",
"refsource": "CONFIRM",
"url": "https://support.sonatype.com/hc/en-us/articles/360051424554"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15869",
"datePublished": "2020-07-31T19:49:18",
"dateReserved": "2020-07-21T00:00:00",
"dateUpdated": "2024-08-04T13:30:22.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15870 (GCVE-0-2020-15870)
Vulnerability from cvelistv5 – Published: 2020-07-31 19:42 – Updated: 2024-08-04 13:30
VLAI?
Summary
Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (Issue 2 of 2).
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:30:23.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sonatype.com"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360051424754"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (Issue 2 of 2)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-31T19:53:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sonatype.com"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360051424754"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15870",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (Issue 2 of 2)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com",
"refsource": "MISC",
"url": "https://support.sonatype.com"
},
{
"name": "https://support.sonatype.com/hc/en-us/articles/360051424754",
"refsource": "CONFIRM",
"url": "https://support.sonatype.com/hc/en-us/articles/360051424754"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15870",
"datePublished": "2020-07-31T19:42:33",
"dateReserved": "2020-07-21T00:00:00",
"dateUpdated": "2024-08-04T13:30:23.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11415 (GCVE-0-2020-11415)
Vulnerability from cvelistv5 – Published: 2020-04-27 14:35 – Updated: 2024-08-04 11:28
VLAI?
Summary
An issue was discovered in Sonatype Nexus Repository Manager 2.x before 2.14.17 and 3.x before 3.22.1. Admin users can retrieve the LDAP server system username/password (as configured in nxrm) in cleartext.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:28:13.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360045360854"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Sonatype Nexus Repository Manager 2.x before 2.14.17 and 3.x before 3.22.1. Admin users can retrieve the LDAP server system username/password (as configured in nxrm) in cleartext."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-27T14:35:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360045360854"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-11415",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Sonatype Nexus Repository Manager 2.x before 2.14.17 and 3.x before 3.22.1. Admin users can retrieve the LDAP server system username/password (as configured in nxrm) in cleartext."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com/hc/en-us/articles/360045360854",
"refsource": "CONFIRM",
"url": "https://support.sonatype.com/hc/en-us/articles/360045360854"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-11415",
"datePublished": "2020-04-27T14:35:41",
"dateReserved": "2020-03-31T00:00:00",
"dateUpdated": "2024-08-04T11:28:13.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11753 (GCVE-0-2020-11753)
Vulnerability from cvelistv5 – Published: 2020-04-20 18:49 – Updated: 2024-08-04 11:42
VLAI?
Summary
An issue was discovered in Sonatype Nexus Repository Manager in versions 3.21.1 and 3.22.0. It is possible for a user with appropriate privileges to create, modify, and execute scripting tasks without use of the UI or API. NOTE: in 3.22.0, scripting is disabled by default (making this not exploitable).
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:42:00.944Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cwe.mitre.org/data/definitions/284.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360046233714"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-04-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Sonatype Nexus Repository Manager in versions 3.21.1 and 3.22.0. It is possible for a user with appropriate privileges to create, modify, and execute scripting tasks without use of the UI or API. NOTE: in 3.22.0, scripting is disabled by default (making this not exploitable)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-10T20:15:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cwe.mitre.org/data/definitions/284.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360046233714"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-11753",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Sonatype Nexus Repository Manager in versions 3.21.1 and 3.22.0. It is possible for a user with appropriate privileges to create, modify, and execute scripting tasks without use of the UI or API. NOTE: in 3.22.0, scripting is disabled by default (making this not exploitable)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cwe.mitre.org/data/definitions/284.html",
"refsource": "MISC",
"url": "https://cwe.mitre.org/data/definitions/284.html"
},
{
"name": "https://support.sonatype.com/hc/en-us/articles/360046233714",
"refsource": "CONFIRM",
"url": "https://support.sonatype.com/hc/en-us/articles/360046233714"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-11753",
"datePublished": "2020-04-20T18:49:22",
"dateReserved": "2020-04-14T00:00:00",
"dateUpdated": "2024-08-04T11:42:00.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11444 (GCVE-0-2020-11444)
Vulnerability from cvelistv5 – Published: 2020-04-02 17:22 – Updated: 2024-08-04 11:28
VLAI?
Summary
Sonatype Nexus Repository Manager 3.x up to and including 3.21.2 has Incorrect Access Control.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:28:13.882Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.sonatype.com"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360046133553"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sonatype Nexus Repository Manager 3.x up to and including 3.21.2 has Incorrect Access Control."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-02T17:22:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.sonatype.com"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360046133553"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-11444",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sonatype Nexus Repository Manager 3.x up to and including 3.21.2 has Incorrect Access Control."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com",
"refsource": "MISC",
"url": "https://support.sonatype.com"
},
{
"name": "https://support.sonatype.com/hc/en-us/articles/360046133553",
"refsource": "CONFIRM",
"url": "https://support.sonatype.com/hc/en-us/articles/360046133553"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-11444",
"datePublished": "2020-04-02T17:22:04",
"dateReserved": "2020-04-01T00:00:00",
"dateUpdated": "2024-08-04T11:28:13.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10199 (GCVE-0-2020-10199)
Vulnerability from cvelistv5 – Published: 2020-04-01 18:27 – Updated: 2025-10-21 23:35
VLAI?
Summary
Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:58:39.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360044882533"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/157261/Nexus-Repository-Manager-3.21.1-01-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/160835/Sonatype-Nexus-3.21.1-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cwe.mitre.org/data/definitions/917.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-10199",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T19:56:26.746306Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2021-11-03",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10199"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:35:47.249Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10199"
}
],
"timeline": [
{
"lang": "en",
"time": "2021-11-03T00:00:00+00:00",
"value": "CVE-2020-10199 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-10T20:15:35.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360044882533"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/157261/Nexus-Repository-Manager-3.21.1-01-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/160835/Sonatype-Nexus-3.21.1-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cwe.mitre.org/data/definitions/917.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-10199",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com/hc/en-us/articles/360044882533",
"refsource": "CONFIRM",
"url": "https://support.sonatype.com/hc/en-us/articles/360044882533"
},
{
"name": "http://packetstormsecurity.com/files/157261/Nexus-Repository-Manager-3.21.1-01-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/157261/Nexus-Repository-Manager-3.21.1-01-Remote-Code-Execution.html"
},
{
"name": "http://packetstormsecurity.com/files/160835/Sonatype-Nexus-3.21.1-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/160835/Sonatype-Nexus-3.21.1-Remote-Code-Execution.html"
},
{
"name": "https://cwe.mitre.org/data/definitions/917.html",
"refsource": "MISC",
"url": "https://cwe.mitre.org/data/definitions/917.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-10199",
"datePublished": "2020-04-01T18:27:23.000Z",
"dateReserved": "2020-03-06T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:35:47.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10204 (GCVE-0-2020-10204)
Vulnerability from cvelistv5 – Published: 2020-04-01 18:21 – Updated: 2024-08-04 10:58
VLAI?
Summary
Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:58:39.507Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360044356194"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-17T18:08:51",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360044356194"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-10204",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com/hc/en-us/articles/360044356194",
"refsource": "CONFIRM",
"url": "https://support.sonatype.com/hc/en-us/articles/360044356194"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-10204",
"datePublished": "2020-04-01T18:21:12",
"dateReserved": "2020-03-06T00:00:00",
"dateUpdated": "2024-08-04T10:58:39.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10203 (GCVE-0-2020-10203)
Vulnerability from cvelistv5 – Published: 2020-04-01 18:04 – Updated: 2024-08-04 10:58
VLAI?
Summary
Sonatype Nexus Repository before 3.21.2 allows XSS.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:58:39.549Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360044361594"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sonatype Nexus Repository before 3.21.2 allows XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-01T18:04:39",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.sonatype.com/hc/en-us/articles/360044361594"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-10203",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sonatype Nexus Repository before 3.21.2 allows XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.sonatype.com/hc/en-us/articles/360044361594",
"refsource": "CONFIRM",
"url": "https://support.sonatype.com/hc/en-us/articles/360044361594"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-10203",
"datePublished": "2020-04-01T18:04:39",
"dateReserved": "2020-03-06T00:00:00",
"dateUpdated": "2024-08-04T10:58:39.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}