CVE-2022-31289: Neither Bug nor Vulnerability

On June 11, a cyber security analyst published a blog post alleging that he had discovered a vulnerability in Nexus Repository OSS 3.37.3-02.

Unfortunately, this was the first time Sonatype had heard of it. Instead of following a responsible disclosure process and contacting us with his findings, the analyst went public without any advance notification or mutual verification.

Fortunately CVE-2022-31289 is not a real vulnerability. Repository’s security features are not breached, and there is no exploit potential. You do not need to apply an update.

We are taking steps to dispute the CVE, and publishing this post to explore the alleged vulnerability in depth.

Sponsorships Available

Sponsorships Available

Sponsorships Available

The “Self-Deception” Exploit

The reproduction steps for CVE-2022-31289, according to the analyst, are as follows:

1. Set up Burp Suite to monitor traffic between the Repository UI and the Repository server.
2. Attempt to log in via the Repository UI using bad credentials, which causes a REST call from the UI layer to the server.
3. Use Burp Suite to intercept the “HTTP 403 Forbidden” response from the server, and modify it to an HTTP 200 OK response.

The user interface will now think the user has been authenticated. Since the Repository UI is a single-page app, it now displays the “logged in” as a UI state. The analyst erroneously concludes, “BOOM! I was logged in as admin.”

But actually, no breach has occurred. The UI has been put in an invalid state by manipulating the HTTP traffic, but the Repository server does not rely on client-side validation: it authenticates every REST operation on the server side.

Any subsequent request the UI now makes to display privileged information will fail, because the user’s session isn’t authenticated. The only path forward is a steady stream of errors as the UI layer fails over and over again to render (Read more...)