CVE-2024-36116 Overview
CVE-2024-36116 is a path traversal vulnerability in Reposilite, an open source, lightweight, and easy-to-use repository manager for Maven-based artifacts in the JVM ecosystem. The vulnerability exists in the JavaDocs file handling functionality, specifically within the JavadocEndpoints.kt controller that expands JavaDoc archives into the server's file system. An attacker can craft a malicious archive containing path traversal characters (such as /../../../anything.txt) in filenames, allowing arbitrary file writes outside the intended target directory.
Critical Impact
This vulnerability enables unauthenticated remote attackers to overwrite any local file on a Reposilite instance, potentially leading to remote code execution by placing malicious plugins in the $workspace$/plugins directory or compromising other packages hosted on the server.
Affected Products
- Reposilite versions prior to 3.5.12
- Reposilite repository manager instances processing JavaDoc archives from untrusted sources
- Deployments integrating with Maven Central or JitPack repositories
Discovery Timeline
- 2024-06-19 - CVE-2024-36116 published to NVD
- 2025-03-06 - Last updated in NVD database
Technical Details for CVE-2024-36116
Vulnerability Analysis
This vulnerability stems from improper input validation when extracting JavaDoc archive contents (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). Reposilite provides support for JavaDoc files, which are archives containing documentation for Maven artifacts. When a user requests JavaDoc content, the JavadocEndpoints.kt controller extracts the archive to the server's file system and serves the contents.
The critical flaw lies in how the extraction process constructs destination file paths. The file.name property extracted from archive entries is used directly without sanitizing path traversal sequences. Since archive entries can contain arbitrary filenames including directory traversal patterns like ../../, an attacker can escape the intended extraction directory and write files to arbitrary locations on the server.
Root Cause
The root cause is insufficient validation of archive entry names during the JavaDoc extraction process. The vulnerable code takes the filename directly from the archive without verifying that the resulting path remains within the designated extraction directory. Standard archive libraries typically preserve the original path structure, including any malicious traversal sequences embedded by an attacker.
Attack Vector
An attacker can exploit this vulnerability through several attack scenarios:
- Direct Upload: Upload a malicious JavaDoc archive containing specially crafted filenames with path traversal sequences
- Poisoned Dependencies: Publish a malicious package to public repositories like Maven Central or JitPack, then trigger Reposilite to fetch and process it
- Package Hijacking: Overwrite legitimate package contents on the Reposilite instance with malicious payloads
The attack requires no authentication, as JavaDoc processing can be triggered through normal repository operations. A successful exploit allows the attacker to write arbitrary files with the permissions of the Reposilite process, enabling scenarios such as:
- Deploying malicious plugins to $workspace$/plugins for code execution
- Overwriting configuration files to alter server behavior
- Replacing legitimate artifacts with trojanized versions
Detection Methods for CVE-2024-36116
Indicators of Compromise
- Unexpected files appearing in system directories outside the Reposilite data directory
- New or modified plugins in the $workspace$/plugins directory that were not intentionally installed
- Anomalous file write operations by the Reposilite process to paths containing ../ sequences
- Modified package contents that differ from their upstream sources
Detection Strategies
- Monitor file system activity for write operations outside expected Reposilite directories
- Implement file integrity monitoring on critical system paths and the plugins directory
- Audit JavaDoc archive requests for packages from untrusted or external sources
- Review Reposilite logs for unusual artifact fetch patterns or JavaDoc expansion failures
Monitoring Recommendations
- Enable detailed logging for all archive extraction operations in Reposilite
- Deploy endpoint detection capabilities to identify suspicious file writes by Java processes
- Establish baseline file integrity checksums for the Reposilite installation and plugins directory
- Monitor network traffic for connections to untrusted Maven repositories
How to Mitigate CVE-2024-36116
Immediate Actions Required
- Upgrade Reposilite to version 3.5.12 or later immediately
- Audit the file system for any unexpected files or modifications, particularly in the plugins directory
- Review recently fetched packages from external repositories for potential compromise
- Consider temporarily disabling JavaDoc serving functionality if an immediate upgrade is not possible
Patch Information
The vulnerability has been addressed in Reposilite version 3.5.12. The fix implements proper path validation during archive extraction to ensure files cannot be written outside the intended target directory.
- Patched Version: 3.5.12
- Patch Commit: GitHub Commit 8481737
- Release Notes: GitHub Release Version 3.5.12
- Security Advisory: GHSA-frvj-cfq4-3228
Workarounds
- There are no known workarounds for this vulnerability; upgrading to version 3.5.12 is required
- Restrict network access to the Reposilite instance to trusted sources only
- Run Reposilite with minimal file system permissions to limit potential damage
- Implement web application firewall rules to block requests containing path traversal patterns
# Upgrade Reposilite to patched version
# Download the latest release from GitHub
wget https://github.com/dzikoysk/reposilite/releases/download/3.5.12/reposilite-3.5.12-all.jar
# Stop the current Reposilite instance
systemctl stop reposilite
# Replace the JAR file with the patched version
mv reposilite-3.5.12-all.jar /opt/reposilite/reposilite.jar
# Restart Reposilite
systemctl start reposilite
# Verify the version
java -jar /opt/reposilite/reposilite.jar --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
