CVE-2021-40143: HTTP header injection in Sonatype Nexus Repository
8.2
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.67902%
CWE
Published
9/8/2021
Updated
2/1/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.sonatype.nexus:nexus-repository | maven | >= 3.0.0, <= 3.33.1-01 | 3.34.0-01 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The provided information does not include specific code snippets, commit diffs, or patch details that would allow identification of exact vulnerable functions. While the vulnerability (CWE-74) suggests improper neutralization of user input used in HTTP
headers, the lack of technical implementation details (e.g., class/method
names, file paths
, or code examples) makes it impossible to pinpoint specific functions with high confidence. HTTP
header injection typically involves unsafe concatenation of user-controlled data into headers (e.g., via setHeader()
or similar methods), but without concrete evidence from the codebase, no functions can be definitively identified.