Nexus Repository 3
Monthly
SSRF protections in Sonatype Nexus Repository 3 are bypassed when proxy repository upstream servers return HTTP redirects, allowing those redirects to target internal network addresses or cloud metadata endpoints such as AWS IMDSv1. Any user with read access to an affected proxy repository - including anonymous users if anonymous access is enabled - can receive responses from internal infrastructure, potentially leaking cloud IAM credentials or other sensitive internal data. No public exploit or CISA KEV listing has been identified at time of analysis, but the condition relies on attacker-controlled or compromised upstream servers, making this a credible supply-chain-adjacent threat in enterprises relying on external upstream repositories.
Server-Side Request Forgery in Sonatype Nexus Repository 3 allows any holder of the Capability Administration permission to redirect the server's outbound HTTP requests to arbitrary internal network addresses by supplying a crafted URL in the Webhook Global capability configuration, enabling probing of internal infrastructure. The vulnerability is patched in version 3.94.0 per Sonatype's release notes. No public exploit code exists and the vulnerability is not in CISA KEV, but risk escalates materially on instances where the anonymous role has been granted the Capability Administration permission, as this exposes the SSRF to unauthenticated actors without any configuration changes beyond that role assignment.
Authorization bypass in Sonatype Nexus Repository 3's component upload API lets an account holding only read/browse privileges on a Swift, Terraform, or Conda hosted repository push arbitrary artifacts, defeating the intended write-permission check (CWE-862). The flaw affects the specific upload paths for these three formats and enables unauthorized artifact publishing that can poison downstream builds. No public exploit identified at time of analysis; Sonatype has shipped a fix in release 3.94.0.
SSRF protections in Sonatype Nexus Repository 3 are bypassed when proxy repository upstream servers return HTTP redirects, allowing those redirects to target internal network addresses or cloud metadata endpoints such as AWS IMDSv1. Any user with read access to an affected proxy repository - including anonymous users if anonymous access is enabled - can receive responses from internal infrastructure, potentially leaking cloud IAM credentials or other sensitive internal data. No public exploit or CISA KEV listing has been identified at time of analysis, but the condition relies on attacker-controlled or compromised upstream servers, making this a credible supply-chain-adjacent threat in enterprises relying on external upstream repositories.
Server-Side Request Forgery in Sonatype Nexus Repository 3 allows any holder of the Capability Administration permission to redirect the server's outbound HTTP requests to arbitrary internal network addresses by supplying a crafted URL in the Webhook Global capability configuration, enabling probing of internal infrastructure. The vulnerability is patched in version 3.94.0 per Sonatype's release notes. No public exploit code exists and the vulnerability is not in CISA KEV, but risk escalates materially on instances where the anonymous role has been granted the Capability Administration permission, as this exposes the SSRF to unauthenticated actors without any configuration changes beyond that role assignment.
Authorization bypass in Sonatype Nexus Repository 3's component upload API lets an account holding only read/browse privileges on a Swift, Terraform, or Conda hosted repository push arbitrary artifacts, defeating the intended write-permission check (CWE-862). The flaw affects the specific upload paths for these three formats and enables unauthorized artifact publishing that can poison downstream builds. No public exploit identified at time of analysis; Sonatype has shipped a fix in release 3.94.0.