Weak Password Encryption in Sonatype Nexus Repository Manager LDAP Integration
CVE-2017-17717

9.8CRITICAL

Key Information:

Vendor: Sonatype
Status: Nexus Repository Manager
Vendor: CVE Published:; 3 October 2022

What is CVE-2017-17717?

The Sonatype Nexus Repository Manager, specifically versions up to 2.14.5, is susceptible to a security issue stemming from weak password encryption in its LDAP integration feature. The integration utilizes a hardcoded CMMDwoV value, which undermines the strength of user password protection, potentially allowing unauthorized access to sensitive information stored within the repository. It is crucial for users of affected versions to evaluate their security posture and implement necessary mitigations to protect against exploitation.

References

http://openwall.com/lists/oss-security/2017/12/17/3

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 3, 2022
Vulnerability Reserved
Oct 3, 2022