Nexus Repository Manager 3 Path Traversal (CVE-2024-4956)
Description
Sonatype Nexus Repository Manager 3 versions prior to 3.68.1 contain a path traversal vulnerability (CVE-2024-4956) that enables remote attackers to read arbitrary files from the server without authentication. This flaw allows attackers to bypass directory restrictions and access files outside the intended web root by manipulating file path parameters.
Remediation
Immediately upgrade Nexus Repository Manager 3 to version 3.68.1 or later to remediate this vulnerability. Follow these steps:
1. Review the Sonatype support article for version-specific upgrade instructions and compatibility requirements
2. Schedule a maintenance window and create a complete backup of your Nexus installation and data
3. Download Nexus Repository Manager 3.68.1 or the latest stable version from the official Sonatype website
4. Follow the standard upgrade procedure for your deployment method (standalone, Docker, or Kubernetes)
5. Verify the upgrade was successful by checking the version in the administration interface
6. Review access logs for any suspicious file access patterns that may indicate prior exploitation
As a temporary mitigation if immediate patching is not possible, restrict network access to the Nexus Repository Manager instance to trusted IP addresses only using firewall rules or network segmentation.