CVE-2024-4956: 
Sonatype Nexus vulnerability analysis and mitigation

A critical path traversal vulnerability (CVE-2024-4956) was discovered in Sonatype Nexus Repository 3, affecting all versions up to and including 3.68.0. The vulnerability was identified on May 16, 2024, by Erick Fernando Xavier de Oliveira through Sonatype's Bug Bounty Program. This security flaw has been assigned a CVSS score of 7.5, indicating high severity (Sonatype Advisory).

The vulnerability allows an unauthenticated attacker to craft a URL that can return any file as a download, including system files outside of the Nexus Repository application scope. The only precondition for exploitation is network access to the Sonatype Nexus Repository 3 instance. As of May 24, 2024, proof-of-concept exploitation examples have been observed in the public domain (Sonatype Advisory, Security Online).

The vulnerability could potentially expose sensitive system files, configuration data, credentials, and other proprietary information, posing a significant risk to organizations' software development pipelines and supply chains. The unauthenticated nature of the exploit makes it particularly dangerous as it requires no prior authentication to exploit (Security Online).

Sonatype has released version 3.68.1 as a fix for this vulnerability. For organizations unable to upgrade immediately, two alternative mitigation options are available: 1) Editing the jetty.xml configuration file to remove the /public line, though this affects some UI elements, or 2) Implementing AWS WAF Core Rule Set's GenericLFI_URIPATH rule for installations protected by AWS WAF. Additionally, Sonatype recommends rotating credentials for services connected to Nexus Repository or its host (Sonatype Mitigations).