Skip to main content

Nexus Repository Manager CVE-2024-5764

MEDIUM
Use of Hard-coded Credentials (CWE-798)
2024-10-23 103e4ec9-0a87-450b-af77-479448ddef11
5.9
CVSS 4.0 · Vendor: 103e4ec9-0a87-450b-af77-479448ddef11
Share

Severity by source

Vendor (103e4ec9-0a87-450b-af77-479448ddef11) PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (103e4ec9-0a87-450b-af77-479448ddef11) · only source for this CVE.

CVSS VectorVendor: 103e4ec9-0a87-450b-af77-479448ddef11

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
CVE Published
Oct 23, 2024 - 15:15 cve.org
MEDIUM 5.9

DescriptionCVE.org

Use of Hard-coded Credentials vulnerability in Sonatype Nexus Repository has been discovered in the code responsible for encrypting any secrets stored in the Nexus Repository configuration database (SMTP or HTTP proxy credentials, user tokens, tokens, among others). The affected versions relied on a static hard-coded encryption passphrase. While it was possible for an administrator to define an alternate encryption passphrase, it could only be done at first boot and not updated.

This issue affects Nexus Repository: from 3.0.0 through 3.72.0.

AnalysisAI

Use of Hard-coded Credentials vulnerability in Sonatype Nexus Repository has been discovered in the code responsible for encrypting any secrets stored in the Nexus Repository configuration database. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Use of Hard-coded Credentials (CWE-798), which allows attackers to gain access using credentials embedded in source code. Use of Hard-coded Credentials vulnerability in Sonatype Nexus Repository has been discovered in the code responsible for encrypting any secrets stored in the Nexus Repository configuration database (SMTP or HTTP proxy credentials, user tokens, tokens, among others). The affected versions relied on a static hard-coded encryption passphrase. While it was possible for an administrator to define an alternate encryption passphrase, it could only be done at first boot and not updated.0.0 through 3.72.0. Affected products include: Sonatype Nexus Repository Manager. Version information: through 3.72.0..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Remove hard-coded credentials, use environment variables or secrets management, rotate exposed credentials immediately.

CVE-2019-7238 CRITICAL POC
9.8 Mar 21

Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control. Rated critical severity (CVSS 9.8), this v

CVE-2019-5475 HIGH POC
8.8 Sep 03

The Nexus Yum Repository Plugin in v2 is vulnerable to Remote Code Execution when instances using CommandLineExecutor.ja

CVE-2018-16621 HIGH POC
7.2 Nov 15

Sonatype Nexus Repository Manager before 3.14 allows Java Expression Language Injection. Rated high severity (CVSS 7.2),

CVE-2018-5307 MEDIUM POC
6.1 Feb 09

Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 2.x before 2.14.6 al

CVE-2018-5306 MEDIUM POC
6.1 Feb 09

Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 3.x before 3.8 allow

CVE-2017-17717 CRITICAL
9.8 Dec 17

Sonatype Nexus Repository Manager through 2.14.5 has weak password encryption with a hardcoded CMMDwoV value in the LDAP

CVE-2019-9629 CRITICAL
9.8 Jul 08

Sonatype Nexus Repository Manager before 3.17.0 establishes a default administrator user with weak defaults (fixed crede

CVE-2026-11403 HIGH
8.7 Jul 14

Improper API key generation in Sonatype Nexus Repository Manager lets a remote attacker impersonate a targeted user and

CVE-2026-3329 HIGH
8.7 Jun 11

Credential-guessing attacks against Sonatype Nexus Repository Manager are enabled by missing rate-limiting on authentica

CVE-2020-15012 HIGH
8.6 Oct 12

A Directory Traversal issue was discovered in Sonatype Nexus Repository Manager 2.x before 2.14.19. Rated high severity

CVE-2020-15868 HIGH
7.5 Aug 12

Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control. Rated high severity (CVSS 7.5), th

CVE-2019-9630 HIGH
7.5 Jul 08

Sonatype Nexus Repository Manager before 3.17.0 has a weak default of giving any unauthenticated user read permissions o

Share

CVE-2024-5764 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy