CVE-2024-36117 – CVE-2024-36117 is an arbitrary file read vulner... (How to Fix)

Q: What is the severity of CVE-2024-36117?

CVE-2024-36117 has a CVSS score of 8.6 (HIGH). CVE-2024-36117 is an arbitrary file read vulnerability in Reposilite v3.5.10 that allows attackers to read sensitive files on the server via path traversal while serving expanded javadoc files. This affects organizations using vulnerable Reposilite instances as Maven repository managers. The vulnerability has been fixed in version 3.5.12.

📋 TL;DR

CVE-2024-36117 is an arbitrary file read vulnerability in Reposilite v3.5.10 that allows attackers to read sensitive files on the server via path traversal while serving expanded javadoc files. This affects organizations using vulnerable Reposilite instances as Maven repository managers. The vulnerability has been fixed in version 3.5.12.

💻 Affected Systems

Products:

Reposilite

Versions: v3.5.10 and earlier versions with javadoc serving enabled

Operating Systems: All platforms running Reposilite

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with javadoc file serving enabled, which is a common configuration for Maven repository managers.

📦 What is this software?

Reposilite by Reposilite

View all CVEs affecting Reposilite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive system files, configuration files, credentials, or source code, potentially leading to complete system compromise.

🟠

Likely Case

Unauthorized access to sensitive files containing API keys, database credentials, or other configuration secrets.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to vulnerable instances.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and involves simple path traversal techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.12

Vendor Advisory: https://github.com/dzikoysk/reposilite/security/advisories/GHSA-82j3-hf72-7x93

Restart Required: Yes

Instructions:

1. Download Reposilite 3.5.12 from GitHub releases. 2. Stop the current Reposilite service. 3. Replace the existing JAR file with the new version. 4. Restart the Reposilite service.

🔧 Temporary Workarounds

Disable javadoc serving

all

Temporarily disable serving of expanded javadoc files to mitigate the vulnerability

Edit reposilite.cfg and set 'javadocPath' to empty or disable javadoc serving in configuration

🧯 If You Can't Patch

Implement strict network access controls to limit access to Reposilite instances
Deploy a web application firewall (WAF) with path traversal protection rules

🔍 How to Verify

Check if Vulnerable:

Check if Reposilite version is 3.5.10 or earlier and javadoc serving is enabled in configuration

Check Version:

java -jar reposilite.jar --version

Verify Fix Applied:

Verify Reposilite version is 3.5.12 or later using the version check command

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in javadoc directories
Requests containing '../' sequences in javadoc paths

Network Indicators:

HTTP requests to javadoc endpoints with path traversal sequences

SIEM Query:

source="reposilite" AND (uri="*../*" OR uri="*/javadoc/*")

📊 Metadata

CVE ID: CVE-2024-36117

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE: CWE-22

Published: June 19, 2024

Last Updated: March 6, 2025

🔗 References

https://github.com/dzikoysk/reposilite/commit/e172ae4b539c822d0d6e04cf090713c7202a79d6 Patch
https://github.com/dzikoysk/reposilite/releases/tag/3.5.12 Release Notes
https://github.com/dzikoysk/reposilite/security/advisories/GHSA-82j3-hf72-7x93 Exploit,Mitigation,Vendor Advisory
https://github.com/dzikoysk/reposilite/releases/tag/3.5.12 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36117, you might also want to check these: