Lucene search

GitHub Advisory DatabaseGHSA-F34X-8PF6-QC9C

HistorySep 08, 2021 - 5:42 p.m.

HTTP header injection in Sonatype Nexus Repository

2021-09-0817:42:18

CWE-74

GitHub Advisory Database

github.com

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

0.003 Low

EPSS

Percentile

67.9%

JSON

Sonatype Nexus Repository 3.x through 3.33.1-01 is vulnerable to an HTTP header injection. By sending a crafted HTTP request, a remote attacker may disclose sensitive information or request external resources from a vulnerable instance.

Affected configurations

Vulners

Node

org.sonatype.nexus\nexusMatchrepository

CPENameOperatorVersion
org.sonatype.nexus:nexus-repositoryle3.33.1-01

CPE	Name	Operator	Version
	org.sonatype.nexus:nexus-repository	le	3.33.1-01

References

github.com/advisories/GHSA-f34x-8pf6-qc9c

help.sonatype.com/repomanager3/release-notes/2021-release-notes

issues.sonatype.org/secure/ReleaseNote.jspa

nvd.nist.gov/vuln/detail/CVE-2021-40143

support.sonatype.com/hc/en-us/articles/4405941762579

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

0.003 Low

EPSS

Percentile

67.9%

JSON

Related for GHSA-F34X-8PF6-QC9C