Date: November 14, 2024
Affected Versions: All Sonatype Nexus Repository Manager 2.x OSS/Pro versions up to and including 2.15.1
Fixed in Version: 2.15.2
Sonatype has been made aware of a Remote Code Execution vulnerability impacting Nexus Repository 2.x OSS/Pro through which an attacker with privileges to publish content could upload a specially crafted file that would result in Nexus Repository attempting to execute embedded commands upon retrieval. See CVE-2024-5082 for details.
We recommend all instances of Nexus Repository 2.x upgrade to 2.15.2 or later as soon as possible.
Credit:
This issue was discovered and reported responsibly by Michael Stepankin (artsploit) via Sonatype’s Bug Bounty Program.