CVE-2024-5764 MEDIUM

CVE-2024-5764: Nexus Repository 3 - Static hard-coded encryption passphrase used by default

Vendor Sonatype
Product Nexus Repository
Weakness CWE-798 · Hardcoded credentials
Published October 23, 2024
Last update October 23, 2024

CVSS base score

5.9/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Use of Hard-coded Credentials vulnerability in Sonatype Nexus Repository has been discovered in the code responsible for encrypting any secrets stored in the Nexus Repository configuration database (SMTP or HTTP proxy credentials, user tokens, tokens, among others). The affected versions relied on a static hard-coded encryption passphrase. While it was possible for an administrator to define an alternate encryption passphrase, it could only be done at first boot and not updated. This issue affects Nexus Repository: from 3.0.0 through 3.72.0.

Key dates

02Disclosure timeline

October 23, 2024 CVE published
October 23, 2024 Record updated