7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-36115

GHSA ID

GHSA-9w8w-34vr-65j2

EPSS Score

0.84007%

CWE

CWE-79

Published

8/2/2024

Updated

11/4/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-36115

CVE-2024-36115: Reposilite artifacts vulnerable to Stored Cross-site Scripting

Summary

Reposilite v3.5.10 is affected by Stored Cross-Site Scripting (XSS) when displaying artifact's content in the browser.

Details

As a Maven repository manager, Reposilite provides the ability to view the artifacts content in the browser, as well as perform administrative tasks via API. The problem lies in the fact that the artifact's content is served via the same origin (protocol/host/port) as the Admin UI. If the artifact contains HTML content with javascript inside, the javascript is executed within the same origin. Therefore, if an authenticated user is viewing the artifacts content, the javascript inside can access the browser's local storage where the user's password (aka 'token-secret') is stored. It is especially dangerous in scenarios where Reposilite is configured to mirror third party repositories, like the Maven Central Repository. Since anyone can publish an artifact to Maven Central under its own name, such malicious packages can be used to attack the Reposilite instance.

Steps to reproduce

To demonstrate this vulnerability, we can start Reposilite with default settings at localhost:8080 and configure its 'release' repository to mirror https://artsploit.com/maven. This is my own website intended to emulate http://repo1.maven.org/, but it also contains a proof-of-concept payload for this vulnerability. Technically I could publish this payload to Maven Central Repository, but I don't want to clutter it.

Then, as an administrator or authenticated Reposilite user, navigate to http://localhost:8080/releases/com/artsploit/reposilite-xss/1.0/reposilite-xss-1.0.pom in the browser. This file contains the basic application/xml payload:

<?xml version="1.0" encoding="UTF-8"?>
<a:script xmlns:a="http://www.w3.org/1999/xhtml">
    alert(`Secret key: ${localStorage.getItem('token-secret')}`)
</a:script>

The script will be executed within the http://localhost:8080/ origin and the leaked token is displayed.

Impact

This issue may lead to the full Reposilite instance compromise. If this attack is performed against the admin user, it's possible to use the admin API to modify settings and artifacts on the instance. In the worst case scenario, an attacker would be able to obtain the Remote code execution on all systems that use artifacts from Reposilite.

Miggo Vulnerability Database

→

CVE-2024-36115

CVE-2024-36115:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-36115

GHSA ID

GHSA-9w8w-34vr-65j2

EPSS Score

0.84007%

CWE

CWE-79

Published

8/2/2024

Updated

11/4/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.reposilite:reposilite-backend	maven	>= 3.3.0, < 3.5.12	3.5.12

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from serving untrusted content (artifacts/Javadocs) without proper security headers. The commit diffs show both locations were patched by adding 'Content-Security-Policy: sandbox' headers. The first function (resultAttachment) handles general artifact content delivery, while the second (handleRawJavadocResource) deals with Javadoc resources. Both failed to enforce origin isolation pre-patch, enabling XSS via injected scripts. The high confidence comes from direct correlation between the vulnerability description, remediation steps, and the patched functions in the provided commit data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-36115: Reposilite artifacts vulnerable to Stored Cross-site Scripting

Summary

Details

Steps to reproduce

Impact

CVE-2024-36115:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.5

7.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2024-36115: Reposilite artifacts vulnerable to Stored Cross-site Scripting

Summary

Details

Steps to reproduce

Impact

Remediation

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI