This vulnerability affects Nexus Repository Manager versions up to and including 3.68.0. It allows an attacker to perform directory traversal, potentially accessing sensitive files on the server.
The exploit takes advantage of a directory traversal vulnerability in the Nexus Repository Manager. By crafting a specific URL, an attacker can bypass security controls and access files outside of the intended directory structure.
Patch link: https://github.com/sonatype/nexus-public/compare/release-3.68.0-04...release-3.68.1-02
Nexus Sonatype uses Jetty servlets to serve its web contents. By default, its static elements are served from /static/ and /public/. However, the means to serve these elements are not sanitised, allowing for directory traversal.
Legacy vulnerable code
@Override
public WebResource getResource(final String path) {
log.trace("Looking up resource: {}", path);
WebResource resource = null;
// 1) first "dev" resources if enabled (to override everything else)
File file = devModeResources.getFileIfOnFileSystem(path);
if (file != null) {
resource = new FileWebResource(
file,
path,
mimeSupport.guessMimeTypeFromPath(file.getName()),
false
);
log.trace("Found dev-mode resource: {}", resource);
}
// 2) second, look at "ordinary" resources, but only if devResource did not hit anything
if (resource == null) {
resource = resourcePaths.get(path);
if (resource != null) {
log.trace("Found bound resource: {}", resource);
}
}
// 3) third, look into WAR embedded resources
if (resource == null) {
URL url;
try {
url = servletContext.getResource(path);
if (url != null && !isDirectory(url)) {
resource = new UrlWebResource(
url,
path,
mimeSupport.guessMimeTypeFromPath(path)
);
log.trace("Found servlet-context resource: {}", resource);
}
} catch (MalformedURLException e) {
throw new RuntimeException(e);
}
}
return resource;
}The lack of sanitisation in the WAR embedded resources allows for directory traversal.
Whilst this exploit seemingly appears as wildly vulnerable, most systems are proxied behind nginx and have merge_slashes enabled. Do not expose the Nexus Repository Manager to the internet without proper security measures in place / being behind a reverse proxy.
- Ensure you have Python 3.x installed.
- Install the required dependencies:
pip install -r requirements.txt - Run the vulnerable script server
cd vulnerable docker-compose up -d - Run the exploit script:
python exploit.py
- Performs preflight checks to ensure the target server is accessible
- Verifies the Nexus Repository Manager version
- Checks for the presence of Nginx
- Saves the output to a file in the
output/directory
This script is for educational and ethical testing purposes only. Always obtain proper authorization before testing on systems you do not own or have explicit permission to test.