PT-2024-37131 · Sonatype · Sonatype Nexus Repository+1
Published
2024-10-23
·
Updated
2025-11-06
·
CVE-2024-5764
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions:
Sonatype Nexus Repository versions 3.0.0 through 3.72.0
Description:
A Use of Hard-coded Credentials vulnerability has been discovered in the code responsible for encrypting secrets stored in the Nexus Repository configuration database, such as SMTP or HTTP proxy credentials and user tokens. The affected versions relied on a static hard-coded encryption passphrase, which could only be altered at first boot and not updated.
Recommendations:
For Sonatype Nexus Repository versions 3.0.0 through 3.72.0, update the encryption passphrase as soon as possible to prevent exploitation. As a temporary workaround, consider restricting access to sensitive areas of the Nexus Repository configuration database until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nexus Repository Manager
Sonatype Nexus Repository