CVE-2021-40143
Description
Sonatype Nexus Repository 3.x through 3.33.1-01 is vulnerable to HTTP header injection, allowing remote attackers to disclose sensitive information or request external resources.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sonatype Nexus Repository 3.x through 3.33.1-01 is vulnerable to HTTP header injection, allowing remote attackers to disclose sensitive information or request external resources.
Vulnerability
Sonatype Nexus Repository versions 3.x through 3.33.1-01 are vulnerable to HTTP header injection. By sending a crafted HTTP request, an attacker can inject arbitrary headers into the server's response, potentially leading to information disclosure or server-side request forgery (SSRF). [1]
Exploitation
A remote attacker without authentication can craft a malicious HTTP request containing injected headers. The vulnerability is triggered when the application processes the request and reflects the injected headers in its response or uses them to make subsequent requests. [1]
Impact
Successful exploitation can result in the disclosure of sensitive information (e.g., internal network details, cookies, or authentication tokens) or the ability to make the server perform requests to external or internal resources, potentially leading to further compromise. [1]
Mitigation
As of the publication date, no official fix or workaround has been disclosed by Sonatype. Administrators are advised to monitor security advisories and upgrade to a patched version once available. [1]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.sonatype.nexus:nexus-repositoryMaven | >= 3.0.0, < 3.34.0-01 | 3.34.0-01 |
Affected products
2- Sonatype/Nexus Repositorydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-f34x-8pf6-qc9cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-40143ghsaADVISORY
- help.sonatype.com/repomanager3/release-notes/2021-release-notesghsaWEB
- issues.sonatype.org/secure/ReleaseNote.jspaghsax_refsource_MISCWEB
- support.sonatype.com/hc/en-us/articles/4405941762579ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.