CVE-2024-36116
Published: 19 June 2024
Summary
CVE-2024-36116 is a high-severity Path Traversal (CWE-22) vulnerability in Reposilite Reposilite. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Reposilite, an open source Maven repository manager for JVM artifacts, contains a path traversal vulnerability in its JavadocEndpoints.kt controller. The component extracts Javadoc archives to the filesystem using filenames taken directly from the archive without sanitization, allowing entries such as "/../../../anything.txt" to write files outside the intended target directory. The flaw is tracked as CWE-22 and affects all versions prior to 3.5.12.
An attacker who can publish or influence a Maven artifact on an upstream source such as Maven Central or JitPack can craft a malicious Javadoc archive that, once fetched and processed by a Reposilite instance, overwrites arbitrary local files. Successful exploitation can place a new plugin in the workspace plugins directory to obtain remote code execution or corrupt the contents of other hosted packages. The attack requires the victim instance to index the attacker-controlled artifact and carries a CVSS 7.5 rating reflecting network access with low privileges but high attack complexity.
The project’s security advisory and release notes state that the issue is resolved in version 3.5.12; users should upgrade immediately because no workarounds are available. The fix is documented in the referenced commits that sanitize archive entry names before extraction.
EPSS scores rose from low values to a peak of 0.2848 on 2025-12-11 before receding to the current 0.1798, indicating measurable post-disclosure exploitation interest. The vulnerability was discovered and reported by the GitHub Security Lab as GHSL-2024-073.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2579
Vulnerability details
Reposilite is an open source, lightweight and easy-to-use repository manager for Maven based artifacts in JVM ecosystem. Reposilite provides support for JavaDocs files, which are archives that contain documentation for artifacts. Specifically, JavadocEndpoints.kt controller allows to expand the javadoc archive…
more
into the server's file system and return its content. The problem is in the way how the archives are expanded, specifically how the new filename is created. The `file.name` taken from the archive can contain path traversal characters, such as '/../../../anything.txt', so the resulting extraction path can be outside the target directory. If the archive is taken from an untrusted source, such as Maven Central or JitPack for example, an attacker can craft a special archive to overwrite any local file on Reposilite instance. This could lead to remote code execution, for example by placing a new plugin into the '$workspace$/plugins' directory. Alternatively, an attacker can overwrite the content of any other package. Note that the attacker can use its own malicious package from Maven Central to overwrite any other package on Reposilite. Reposilite has addressed this issue in version 3.5.12. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue was discovered and reported by the GitHub Security lab and is also tracked as GHSL-2024-073.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.