CVE-2024-5764

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-5764

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5764.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-5764

Published

2024-10-23T15:15:32.340Z

Modified

2026-04-10T05:19:36.096665Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Use of Hard-coded Credentials vulnerability in Sonatype Nexus Repository has been discovered in the code responsible for encrypting any secrets stored in the Nexus Repository configuration database (SMTP or HTTP proxy credentials, user tokens, tokens, among others). The affected versions relied on a static hard-coded encryption passphrase. While it was possible for an administrator to define an alternate encryption passphrase, it could only be done at first boot and not updated.

This issue affects Nexus Repository: from 3.0.0 through 3.72.0.

References

https://support.sonatype.com/hc/en-us/articles/34496708991507

Affected packages

Git / github.com/sonatype/nexus-public

Affected ranges

Type

GIT

Repo

https://github.com/sonatype/nexus-public

Events

Introduced

Fixed

110e6178ff2e1e589b24c1cbefb25a96312b286c

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.73.0"
        }
    ]
}

Affected versions

3.*

3.37.1-01

release-3.*

release-3.20.0-04

release-3.20.1-01

release-3.21.0-05

release-3.22.0-02

release-3.22.1-02

release-3.23.0-03

release-3.24.0-02

release-3.25.0-03

release-3.25.1-02

release-3.26.0-04

release-3.26.1-02

release-3.27.0-03

release-3.28.0-01

release-3.28.1-01

release-3.29.0-02

release-3.29.1-01

release-3.29.2-02

release-3.3.0-01

release-3.30.0-01

release-3.30.1-01

release-3.31.0-01

release-3.31.1-01

release-3.32.0-03

release-3.33.0-01

release-3.33.1-01

release-3.34.0-01

release-3.34.1-01

release-3.35.0-02

release-3.36.0-01

release-3.37.0-01

release-3.37.3-02

release-3.38.0-01

release-3.38.1-01

release-3.39.0-01

release-3.4.0-02

release-3.40.0-03

release-3.41.0-01

release-3.41.1-01

release-3.42.0-01

release-3.43.0-01

release-3.44.0-01

release-3.45.0-01

release-3.45.1-SNAPSHOT

release-3.46.0-01

release-3.47.0-01

release-3.47.1-01

release-3.48.0-01

release-3.49.0-02

release-3.5.0-02

release-3.50.0-01

release-3.51.0-01

release-3.52.0-01

release-3.53.0-01

release-3.53.1-02

release-3.54.1-01

release-3.55.0-01

release-3.56.0-01

release-3.57.0-01

release-3.58.0-01

release-3.58.1-01

release-3.58.1-02

release-3.59.0-01

release-3.60.0-02

release-3.61.0-02

release-3.62.0-01

release-3.63.0-01

release-3.64.0-03

release-3.64.0-04

release-3.65.0-02

release-3.66.0-02

release-3.67.0-03

release-3.67.1-01

release-3.68.0-04

release-3.68.1-02

release-3.69.0-02

release-3.70.0-03

release-3.70.1-02

release-3.71.0-06

release-3.72.0-04

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5764.json"