Sonatype Nexus Repository 2 Hit By RCE (CVE-2024-5082) and XSS (CVE-2024-5083) Flaws
Sonatype has issued two security advisories for its Nexus Repository Manager 2.x, a popular repository manager used by organizations worldwide to store and distribute software artifacts, warning users of two newly discovered vulnerabilities that demand immediate action. These vulnerabilities, tracked as CVE-2024-5082 and CVE-2024-5083, could allow attackers to execute malicious code and compromise systems.
CVE-2024-5082 is a Remote Code Execution (RCE) vulnerability with a CVSSv4 score of 7.1. According to the Sonatype advisory, “An attacker can publish a specially crafted maven artifact with a payload that will be executed upon download of that artifact.” This means that simply downloading a malicious artifact from a compromised Nexus Repository 2 server could lead to a complete system takeover.
CVE-2024-5083 is a Stored Cross-Site Scripting (XSS) vulnerability with a CVSSv4 score of 5.1. This vulnerability allows attackers to inject malicious scripts into maven artifacts. “If an administrator views the content of said artifact in their browser window, that may execute unwanted actions permitted by the administrator’s account level,” warns the advisory. This could allow attackers to steal sensitive information or perform unauthorized actions.
Sonatype has released Nexus Repository 2 version 2.15.2 to address these vulnerabilities and is urging users to upgrade immediately. The company acknowledges that “Sonatype Nexus Repository Manager 2.x is under Extended Maintenance” and encourages a migration to Sonatype Nexus Repository 3 for long-term security.
For users unable to upgrade immediately, Sonatype offers temporary mitigation options, such as deploying custom WAF rules or using a reverse proxy to limit exposure.
