Hi, we recently followed the guide to mitigate vulernability CVE-2024-4956: https://support.sonatype.com/hc/en-us/articles/29412417068819-Mitigations-for-CVE-2024-4956-Nexus-Repository-3-Vulnerability
We ssh into the server where nexus is running, modified the jetty.xml file to make the /public folder not accessible. Before I made the changes to the config by removing <Set name="resourceBase"><Property name="karaf.base"/>/public</Set> line, I used curl to try to fetch files from the /public folder. I was able to download the favicon.ico file for example. Then I made the config changes, but I am still able to curl and download the favicon.ico file. Is this the way to go to test the mitigation, or is there another way to test it?
We wanted to test the fix of removing the line from the jetty.xml file first, because we are way behind in versions, and we are planning on phasing out nexus, so we wanted a quick fix.
I also went into the nexus UI, downloaded the Support ZIP, and can still see the “resourceBase” line even though I removed it on the server. I ssh into the server, and removed it from the jetty.xml file. But the file in the zip with path install/etc/jetty.xml stil shows the “resourceBase”-tag. I have restarted nexus and everything, so I’m not too sure what to do next.