CVE-2021-40143 - OpenCVE

Sonatype Nexus Repository 3.x through 3.33.1-01 is vulnerable to an HTTP header injection. By sending a crafted HTTP request, a remote attacker may disclose sensitive information or request external resources from a vulnerable instance.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sonatype	Nexus Repository Manager 3

Configuration 1 [-]

cpe:2.3:a:sonatype:nexus_repository_manager_3:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://issues.sonatype.org/secure/ReleaseNote.jspa
https://support.sonatype.com/hc/en-us/articles/4405941762579

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-09-07T19:28:53

Updated: 2024-08-04T02:27:31.862Z

Reserved: 2021-08-25T00:00:00

Link: CVE-2021-40143

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-09-07T20:15:08.467

Modified: 2021-09-14T17:11:54.177

Link: CVE-2021-40143

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Sonatype Nexus Repository 3.x through 3.33.1-01 is vulnerable to an HTTP header injection. By sending a crafted HTTP request, a remote attacker may disclose sensitive information or request external resources from a vulnerable instance."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-07T19:28:53", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://issues.sonatype.org/secure/ReleaseNote.jspa"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.sonatype.com/hc/en-us/articles/4405941762579"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-40143", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Sonatype Nexus Repository 3.x through 3.33.1-01 is vulnerable to an HTTP header injection. By sending a crafted HTTP request, a remote attacker may disclose sensitive information or request external resources from a vulnerable instance."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://issues.sonatype.org/secure/ReleaseNote.jspa", "refsource": "MISC", "url": "https://issues.sonatype.org/secure/ReleaseNote.jspa"}, {"name": "https://support.sonatype.com/hc/en-us/articles/4405941762579", "refsource": "CONFIRM", "url": "https://support.sonatype.com/hc/en-us/articles/4405941762579"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:27:31.862Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://issues.sonatype.org/secure/ReleaseNote.jspa"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.sonatype.com/hc/en-us/articles/4405941762579"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-40143", "datePublished": "2021-09-07T19:28:53", "dateReserved": "2021-08-25T00:00:00", "dateUpdated": "2024-08-04T02:27:31.862Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sonatype:nexus_repository_manager_3:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5FBAC49-DC4B-4CEA-98D3-051D1D3DF517", "versionEndExcluding": "3.34.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sonatype Nexus Repository 3.x through 3.33.1-01 is vulnerable to an HTTP header injection. By sending a crafted HTTP request, a remote attacker may disclose sensitive information or request external resources from a vulnerable instance."}, {"lang": "es", "value": "Sonatype Nexus Repository versiones 3.x hasta 3.33.1-01, es vulnerable a una inyecci\u00f3n de encabezado HTTP. mediante el env\u00edo de una petici\u00f3n HTTP dise\u00f1ada, un atacante remoto puede divulgar informaci\u00f3n confidencial o solicitar recursos externos desde una instancia vulnerable"}], "id": "CVE-2021-40143", "lastModified": "2021-09-14T17:11:54.177", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-07T20:15:08.467", "references": [{"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "https://issues.sonatype.org/secure/ReleaseNote.jspa"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://support.sonatype.com/hc/en-us/articles/4405941762579"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}