Nexus Repository 2 Security Advisory

Date: November 14, 2024

Affected Versions: All Sonatype Nexus Repository Manager 2.x OSS/Pro versions up to and including 2.15.1

Fixed in Version: 2.15.2

Sonatype has been made aware of a Remote Code Execution vulnerability impacting Nexus Repository 2.x OSS/Pro through which an attacker with privileges to publish content could upload a specially crafted file that would result in Nexus Repository attempting to execute embedded commands upon retrieval. See CVE-2024-5082 for details.

We recommend all instances of Nexus Repository 2.x upgrade to 2.15.2 or later as soon as possible.

Credit:

This issue was discovered and reported responsibly by Michael Stepankin (artsploit) via Sonatype’s Bug Bounty Program.