Nexus Repository Manager serves as a hub for managing, storing, and disseminating development artifacts. A critical security flaw, identified as a path traversal vulnerability, has been detected in Nexus Repository Manager version 3, affecting releases before 3.68.1.

This vulnerability enables unauthorized individuals to construct a URL that enables to download files beyond the intended boundaries of the Nexus Repository application, all without requiring authentication. The implications of this vulnerability are severe, as it leads to the disclosure of confidential system files and potentially endanger the integrity of the system hosting the Nexus Repository.

To address this issue, it is strongly advised to upgrade to Nexus Repository Manager version 3.68.1 or newer at the earliest opportunity to mitigate this security threat.

‍
The Significance of the Vulnerability

The impact of this vulnerability extends beyond direct users of Nexus Repository; This vulnerability can be the starting point of a supply chain attack. As it can also affect third parties’ products used in your organization.

Exploiting this flaw allows the retrieval of critical data such as memory contents, application database passwords, and essentially almost any file present on the system. This could be tested in our labs.

Our primary concern is that built system can contain sensitive API keys, which could provide threat actors with opportunities to infiltrate additional infrastructure components and gain long term access to sensitive software built system.

Recommended Actions

Update Your Systems:

• Apply patches to your infrastructure promptly.

Audit Authentication Logs:

• Examine both incoming and outgoing authentication logs from the affected machine for at least the past 30 days.

• Prioritize reviewing authentication related to Nexus Repository Manager and SSH.

Inspect SSH Keys

• Check for recently added trusted keys for SSH.

Analyze Webserver Logs

• Look for patterns such as %2f or .. in webserver logs.

• Focus on the following files: log/request.log (for Docker, the complete path is /nexus-data/ log/request.log).

Identify Accessed Files

• If patterns are detected, determine which files were accessed.

• Pay extra attention to queries containing:

• id_{rsa|dsa} (indicating access to SSH keys).
• bash_history (which may contain credentials or passwords).
• /db/ (where database files like api_key_domain_api_key_idx.sbt and user.pcl are located, containing API keys and user accounts with hashed passwords, respectively).
• /proc/ (which includes memory and environment variables that could reveal passwords or memory segments).

Respond to Suspected Attacks:

If an attack is suspected, take the following steps immediately:

Review any malicious activities and reset all sensitive information, including:

• Passwords for user accounts.

• SSH account details.

• Trusts associated with SSH keys.