Skip to main content

2020 Nexus Repository 2 Release Notes

Nexus Repository 2

Warning

A critical security vulnerability has been found in versions up to and including 2.14.18. For details, please see CVE-2020-13933.

Sonatype recommends that administrators upgrade to 2.14.19 or newer immediately.

Note

The notes below are a summary of new features, enhancements, and bug fixes per version release.

Repository Manager 2.14.20

This release includes an update to ActiveMQ for a CVE reported against it and an update of BouncyCastle to allow the use of ECC signatures.

Repository Manager 3 Upgrade Compatibility

Please see Upgrade Compatibility - Repository Manager 2 to 3 for a complete reference.

Security

  • [NEXUS-26224] CVE-2020-13920: Apache ActiveMQ JMX is vulnerable to a MITM attack

Repository

  • [NEXUS-25956] Signatures with ECC algorithm not being recognized

Repository Manager 2.14.19

This release includes minor security fixes.

Repository Manager 3 Upgrade Compatibility

Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference.

  • [NEXUS-24349] - CVE-2020-15012 - NXRM2 Directory Traversal vulnerability

Repository Manager 2.14.18

This is a bug fix release and corrects an issue deploying sha256 and sha512 checksums when using staging repositories.

Repository Manager 3 Upgrade Compatibility

Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference.

  • [NEXUS-21802] - Maven metadata sha256/sha512 checksum in staging repositories

Repository Manager 2.14.17

This is a bug fix release and corrects a vulnerability that was discovered in prior versions of Nexus Repository Manager 2. We recommend all users upgrade to 2.14.17 or later.

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference.

Security

  • [NEXUS-23556] - CVE-2020-11415: LDAP system credentials can be exposed by admin user

Repository Manager 2.14.16

Warning

An RCE vulnerability has been found and corrected in 2.14.16, see the CVE-2019-15893 advisory for details.

Sonatype recommends that administrators running NXRM2 versions up to and including 2.14.15 upgrade immediately.

This is a bug fix release and corrects vulnerabilities that were discovered in prior versions of Nexus Repository Manager 2. We recommend all users upgrade to 2.14.16 or later.

Repository Manager 3.x Upgrade Compatibility

Please see Upgrade Compatibility - Nexus Repository 2 to 3 for a complete reference.

Security

  • [NEXUS-22014] - CVE-2019-5475: OS Command Injection vulnerability

  • [NEXUS-22453] - Update Apache Shiro library to resolve security vulnerability

Repository

  • [NEXUS-22313] - Invalid content-range header returned

Crowd

  • [NEXUS-13306] - usernames containing non-URL safe characters cannot authenticate using the Crowd realm