CVE-2024-5082: 
Sonatype Nexus vulnerability analysis and mitigation

A Remote Code Execution (RCE) vulnerability, identified as CVE-2024-5082, has been discovered in Sonatype Nexus Repository 2. The vulnerability affects all Nexus Repository 2 OSS/Pro versions up to and including 2.15.1. This security issue was discovered and reported by Michael Stepankin (artsploit) through Sonatype's Bug Bounty Program (Sonatype Advisory, Security Online).

The vulnerability has been assigned a CVSSv4 score of 7.1 (HIGH). The vulnerability allows an attacker to publish a specially crafted maven artifact containing a malicious payload that will be executed when the artifact is downloaded. To exploit this vulnerability, an attacker must have network access to the Sonatype Nexus Repository Manager 2.x instance with credentials and minimal permission to publish a maven artifact (Sonatype Advisory).

If successfully exploited, this vulnerability could lead to remote code execution on systems that download the malicious artifact. The impact is particularly severe as it could potentially lead to a complete system takeover when users download compromised artifacts from an affected Nexus Repository 2 server (Security Online).

Sonatype has released version 2.15.2 of Nexus Repository Manager 2.x OSS/Pro to address this vulnerability. For organizations unable to upgrade immediately, Sonatype provides alternative mitigation options including implementing custom WAF rules for deployments in AWS behind resources that integrate with AWS WAF. Additionally, Sonatype strongly encourages users to migrate to Sonatype Nexus Repository 3, as version 2.x is under Extended Maintenance (Sonatype Advisory).