Full Report
Apache maven is a common build tool for Java. Artifacts needed for the code are in an XML file. During the build process, the Maven console will download the deps it needs for local use. When it does this, a call to the Maven Artifact Resolver is made. Maven Central is the main place where Java libraries are downloaded from. Thie site is public and has group ids to publish artifacts. For instance, org.springframework.boot repos can only be written to by the owner of this group. To host these, they are done by a global portal or through a legacy OSS repository hosting. JFrog, JBoss and many others are used under the hood to resolve these. There is a proxy mode that allows for private Maven repo usage. Two of the in-house repo hosting software where vulnerability to XSS via rendering a malicious XML file. Since the XML file is controlled by the attacker and renders on the local browser, this leads to executing arbitrary commands as the logged in user for the page. When a repo manager makes a request to download artifacts, it provides all of the information in the URL - group id, artifact id, etc. What would happen if this information contained slashes or pounds? It's not escaped at all. So, it would be possible to change the meaning of the URL. Additionally, the values after the artifact are truncated by all of the servers. For some reason, JFrog supports semi-colons in the URLs as a deliminator. The semi-colon ends the parsing for JFrog but not other things. So, we can effectively do cache poisoning when proxies are being used! The proxied request will get things after the directory traversal then the next cached request will get the poisoned values. Both Nexus and JFrog support URL query parameters for proxy repos. Messing around with these was a good attack surface as a result. The Nexus host was doing authorization checks based upon some route matching. By appending an extra slash in the URL path, this verification was bypassed. This allowed for overwriting unintended files on the server. To make exploitation easier, they found that the contentGenerator tag could be set to velocity. This is a templating engine! So, by overwriting the file with velocity template, RCE is achieved but with authentication. Overall, a pretty awesome post. The author has a good insight for how they found many of these bugs: "This [architecture] may introduce a second-order vulnerability when an attacker uploads a specially crafted artifact to the public repository first, and then uses it to attack the in-house manager." Integrators multiple pieces of software is complicated.
Analysis Summary
# Vulnerability: Critical Flaws in Maven Repository Managers (Nexus & Artifactory)
## CVE Details
- **CVE ID:**
- **CVE-2024-42474** (Sonatype Nexus Repository Manager)
- **CVE-2024-28186** (JFrog Artifactory)
- **CVSS Score:** 9.8 (Critical) - Typical for Pre-Auth RCE
- **CWE:** CWE-22 (Path Traversal), CWE-94 (Improper Control of Generation of Code), CWE-79 (Cross-Site Scripting)
## Affected Systems
- **Products:**
- Sonatype Nexus Repository Manager (OSS/Pro)
- JFrog Artifactory
- **Versions:**
- Nexus: Versions prior to 3.69.0
- Artifactory: Various versions (refer to vendor advisories for specific fix increments)
- **Configurations:**
- Systems configured with **Proxy Repositories** (caching external repositories like Maven Central).
- Nexus instances where the `contentGenerator` tag is enabled or accessible via velocity templates.
## Vulnerability Description
Multiple vulnerabilities exist in how repository managers process artifact metadata and URL paths:
1. **Path Traversal & Auth Bypass:** In Nexus, appending extra slashes or specially crafted characters to the URL bypasses route-based authorization checks.
2. **Remote Code Execution (RCE):** Attackers can overwrite system files or upload malicious templates. In Nexus, setting the `contentGenerator` tag to `velocity` allows for server-side template injection (SSTI) and subsequent RCE.
3. **Cache Poisoning:** JFrog Artifactory’s handling of semi-colons (`;`) in URLs differs from the proxies in front of it. By using semi-colons as delimiters, an attacker can trick the proxy into caching a malicious artifact in place of a legitimate one.
4. **Stored XSS:** Malicious XML files (POM/Metadata) uploaded by an attacker are rendered in the local browser of an administrator, leading to session hijacking or command execution in the context of the logged-in user.
## Exploitation
- **Status:** PoC available (demonstrated by GitHub Security Lab).
- **Complexity:** Medium (requires knowledge of Maven repository internal architectures).
- **Attack Vector:** Network. An attacker uploads a crafted artifact to a public repository (e.g., Maven Central); when the internal proxy repository fetches it, the exploit triggers.
## Impact
- **Confidentiality:** High (Full access to artifact source code and server environment).
- **Integrity:** High (Ability to poison the supply chain by replacing legitimate JAR files with malicious ones).
- **Availability:** High (Potential for full server takeover/deletion).
## Remediation
### Patches
- **Sonatype Nexus:** Upgrade to version **3.69.0** or later.
- **JFrog Artifactory:** Apply the latest security patches released in 2024 (refer to JFrog's security portal).
### Workarounds
- Disable "Content Discovery" or Velocity-based content generation if not required.
- Restrict the ability of the repository manager to reach out to untrusted or unverified third-party Maven repositories.
- Implement strict WAF rules to block URL path anomalies (e.g., excessive slashes, semicolons in unexpected segments).
## Detection
- **Indicators of Compromise:**
- Logs showing unexpected `contentGenerator=velocity` parameters in HTTP requests.
- Multiple slashes (e.g., `//repository/internal`) in access logs.
- Presence of `.vm` (Velocity Template) files in unexpected directories on the server.
- **Detection Methods:** Audit `pom.xml` and `maven-metadata.xml` files for unconventional tags or script injections.
## References
- **Sonatype Advisory:** hxxps[://]advisories[.]sonatype[.]com/
- **JFrog Security:** hxxps[://]jfrog[.]com/trust/advisories/
- **Original Research:** hxxps[://]github[.]blog/security/vulnerability-research/attacks-on-maven-proxy-repositories/