CVE-2024-5082
Published: 14 November 2024
Summary
CVE-2024-5082 is a high-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A Remote Code Execution vulnerability tracked as CVE-2024-5082 affects Sonatype Nexus Repository 2 OSS and Pro editions through version 2.15.1. The flaw is categorized under CWE-94 and carries a CVSS 4.0 score of 7.1, reflecting network-accessible code injection that can be triggered without user interaction.
An authenticated attacker with low privileges can send specially crafted requests to the repository server and achieve remote code execution. Successful exploitation grants the ability to read sensitive data and perform limited integrity modifications on the affected instance while leaving availability largely intact.
The vendor has published an advisory at https://support.sonatype.com/hc/en-us/articles/30694125380755 that addresses the issue for supported deployments. The associated EPSS score remains modest, with a recorded peak of 0.0891 and a current value of 0.0636.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47116
Vulnerability details
A Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2. This issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.