Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoint exploitable by low-privilege users; scope change to subsequent systems captures internal SSRF pivot; no confidentiality or integrity impact on the Nexus host itself.
Primary rating from Vendor (Sonatype).
CVSS VectorVendor: Sonatype
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Nexus Repository 3 is vulnerable to Server-Side Request Forgery (SSRF) via the SSL Certificate Retrieval endpoint. A user holding the nexus:ssl-truststore:read permission could cause the server to initiate outbound connections to internal or otherwise restricted network hosts. This issue affects Nexus Repository 3.0.0 through versions prior to 3.94.0.
AnalysisAI
Server-Side Request Forgery in Sonatype Nexus Repository 3 exposes internal network infrastructure to authenticated users holding the nexus:ssl-truststore:read permission, who can weaponize the SSL Certificate Retrieval endpoint to force the server to initiate outbound TCP connections to arbitrary hosts - including cloud metadata services, internal APIs, and otherwise firewalled systems. All versions from 3.0.0 up to (but not including) 3.94.0 are affected, and a vendor-released patch is available. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Nexus session with the nexus:ssl-truststore:read permission explicitly granted - this is not a default permission for all users and is typically restricted to administrators or security operators managing the trust store. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms this is network-exploitable with low complexity and no attack prerequisites beyond holding the nexus:ssl-truststore:read permission - substantially limiting the exposed population to users who have been explicitly granted that role. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a Nexus account holding the nexus:ssl-truststore:read permission submits a crafted request to the SSL Certificate Retrieval endpoint targeting an internal host - for example, the AWS EC2 instance metadata service at 169.254.169.254 or an internal Kubernetes API server. The Nexus server initiates a TCP connection and returns connection results or certificate data from the internal target, allowing the attacker to enumerate internal services, harvest cloud credentials from metadata endpoints, or map the internal network without needing direct network access to those hosts. … |
| Remediation | Upgrade Sonatype Nexus Repository to version 3.94.0 or later, as documented in the official release notes at https://help.sonatype.com/en/sonatype-nexus-repository-3-94-0-release-notes.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Nexus Repository
View allCWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unau
Arbitrary OS command execution in Sonatype Nexus Repository 3 versions prior to 3.92.0 allows authenticated users holdin
Stored cross-site scripting (XSS) in Sonatype Nexus Repository 3.6.0 through 3.91.x allows authenticated users with uplo
An authenticated administrator who configures or tests LDAP connectivity in Sonatype Nexus Repository Manager versions 3
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43744
GHSA-jpvp-vqx9-22qg