Security Advisories
Note
Sonatype is currently refreshing its methodology for reporting on Security Advisories. This page contains historical data for informational purposes only.
Resolved Vulnerabilities
FIXED IN | ADVISORY | IMPACT |
|---|---|---|
3.38.0 | A server-side request forgery could potentially lead to network enumeration. Knowledge Base Article. | |
3.38.0 | An HTML injection vulnerability could potentially allow a remote attacker to send a specially crafted URL request to alter the displayed HTML view. | |
3.36.0 | A server side request forgery vulnerability could potentially lead to network enumeration or facilite other attacks. See CVE-2021-43293 for full details. | |
3.36.0 | An attacker may use a low-privileged user account to access the SSL Certificates Loading function. Knowledge Base Article. | |
3.34.0 | An unauthenticated attacker may disclose sensitive information or request external resources from the vulnerable instance by sending a specially crafted HTTP request. Knowledge Base Article | |
3.33.0 | An authenticated attacker with the ability to add HTML files to a repository could redirect users to Nexus Repository Manager's pages with code modifications.Knowledge Base Article | |
3.31.0 | An authenticated attacker can get a list of blob files and read the content of a blob file (via a crafted GET request) without having been granted access. Knowledge Base Article | |
3.30.1 | An unauthenticated user can submit a crafted HTTP request to get a list of files and directories that exist in Nexus Repository’s webroot. Knowledge Base Article | |
3.30.1 | An authenticated user can potentially retrieve the user token of a minute subset of other users in the system. Knowledge Base Article | |
3.30.1 | An authenticated local user can store an XSS which when viewed executes arbitrary JavaScript within the context of the application. | |
3.29.0 | A user with admin privileges can configure the system to gain access to content outside of NXRM via an XXE (XML External Entity) vulnerability. Knowledge Base Article | |
3.27.0 | An unauthenticated user can submit a specially crafted HTTP request that may cause an authentication bypass. Knowledge Base Article | |
3.26.0 | A remote unauthenticated attacker could send a request to the server to successfully access private resources without the required security context. | |
3.25.1 | A user with the right permission can run arbitray code on the NXRM server. | |
3.25.0 | The jQuery package is vulnerable to Cross-Site Scripting (XSS). | |
3.24 | Dependency bouncy castle 1.60: Information disclosure is possible with no additional execution privileges needed. | |
3.22.1 | Sensitive information disclosure (SID) - An attacker with administrative privileges can configure such that they cna retrieve the credentials of external LDAP users. | |
3.22.0 | Improper access controls - An authenticated user can craft requests in such a manner that configuration for other users in the system can be affected. | |
3.21.2 | N/A | It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution. Scripting disabled and no longer recommended or supported. |
3.21.2 | Dependency snakeyaml 1.20: The Alias feature in snakeyaml allows entity expansion during a load operation. | |
3.21.2 | This issue may lead to Remote Code execution by any low-privilege user. | |
3.21.2 | The identified vulnerability allows arbitrary JavaScript to run in a user’s browser in the context of the application. | |
3.21.0 | Dependency snakeyaml 1.18: The Alias feature in snakeyaml allows entity expansion during a load operation. | |
3.21.0 | Dependency hibernate-validator: Some payloads are improperly sanitized allowing potentially malicious code in HTML comments and instructions. | |
3.20.0 | Dependency swagger-ui-dist 3.22.0: Attackers can use a Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. | |
3.19.0 | Dependency apache commons-compress: The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This makes a denial of service attack possible. | |
3.19.0 | Remote code execution (RCE) - An attacker with elevated privileges can upload a specially crafted file. That file can contain commands that will be executed on the system, with the same privileges as the user running the server. | |
3.18.0 | Remote code execution (RCE) - An attacker with elevated privileges can upload a specially crafted file. That file can contain commands that will be executed on the system, with the same privileges as the user running the server. | |
3.15.0 | Insufficient access controls - An unauthenticated user can craft requests in a manner that can execute arbitrary code and programs on the host system. | |
3.14.0 | Multiple Cross-Site Scripting (XSS)- A remote attacker can execute arbitrary JavaScript within the context of the application. | |
3.14.0 | Insufficient access controls- An unauthenticated user can craft requests in such a manner that the responses can reveal other hosts and which ports they have open on the local network. | |
3.14.0 | Java Expression Language Injection - An attacker with administrative privileges can exploit this vulnerability to execute code on the server. | |
3.12.0 | Multiple Cross-Site Scripting (XSS) - A remote attacker can execute arbitrary JavaScript within the context of the application. | |
3.8.0 | Multiple Cross-Site Scripting (XSS) - A remote attacker can execute arbitrary JavaScript within the context of the application. |
Dependency Vulnerabilities with No Impact
Nexus Repository Manager also includes several third party libraries. Below is a list of vulnerabilities that may come up when you scan our application. We have listed the reasons we are not vulnerable.
DEPENDENCY | ADVISORY | IMPACT ANALYSIS |
|---|---|---|
com.h2database : h2 | Nexus Repository uses a hardcoded JDBC URL for its embedded H2 database. | |
com.h2database : h2 | SONATYPE-2021-1681 | Nexus Repository 3 as shipped is not vulnerable to this CVE. Customers would have to make significant changes to their configuration to become vulnerable. The H2 Web Console is also not enabled in Nexus Repository 2 nor is there a way to enable it by changing settings; therefore, Nexus Repository 2 is also not vulnerable to this CVE. |
logback-classic 1.2.3 | SONATYPE-2021-1175 SONATYPE-2021-1446 | Nexus Repository as shipped is not vulnerable to this CVE. Customers would have to make significant changes to their configuration to become vulnerable. However, as a precautionary measure, we upgraded the |
org.apache.shiro 1.6.0 | We do not utilize Spring, therefore are not exposed to the shiro vulnerability | |
com.h2database 1.4.200 | We do not enable the web console or expose the Backup class from the running JVM. | |
com.hazelcast 3.10.3 | SONATYPE-2016-0449 | We have enabled the serialization filter after a fix was backported to 3.10 |
com.thoughtworks.xstream 1.4.10 | The vulnerability is only present when the security subsystem is not initialized. We initialize the security subsystem | |
commons-codec-1.10 | SONATYPE-2018-0677 | We are only using it in a single test class and have upgraded to use JRE's own Base64 implementation |
commonmark 0.27.0 | SONATYPE-2019-0540 | As NXRM doesn't use react-commonmark so we are not vulnerable. |
hibernate-validator 6.1.0.Final | Not vulnerable because we use stripJavaEL() in HelperValidator | |
io.netty 3.10.6.Final | SONATYPE-2020-0103 SONATYPE-2020-0029 CVE-2019-20444 | This vulnerability is only applicable if you are exposing netty's http handling. We do not use netty's http handling. |
jackson-databind 2.9.10.4 | Multiple | Vulnerability is only pertinent if the 'enableDefaultTyping' option is enabled, and NX3 does not enable this; furthermore it only applies to polymorphic types, which we don't use |
jquery 3.3.1 | SONATYPE-2019-0115 | This vulnerability is reported to be used in the nexus-clm-plugin module which only has a single javascript file details.js. Which does not make use of the$extend vulnerability. |
org.apache.karaf 4.2.6 | SONATYPE-2012-0050 | This is a vulnerability in common-codec which karaf depends on but we do not use in any of our code. |
org.apache.karaf.jaas 4.2.9 | SONATYPE-2014-0201 | The identified vulnerabilities are in classes which we do not use in any of our code. |
org.apache.karaf : 4.2.6 | SONATYPE-2015-0286 | This particular exploit requires access to the JVM memory and a specific configuration where you're using Karaf's internal security model - rather than our JAAS-Shiro integration which is what the current setup uses when you have the remote console enabled (local console is not an issue). |
org.apache.karaf.jaas.modules : 4.2.9 | This requires access to the karaf console which would also require admin access to the server running NXRM. | |
org.apache.shiro-web 1.4.2 | The vulnerability exploits endpoints that serve content with and without a trailing slash. Filters that are defined on a wildcard path '/*' are not affected by this. | |
org.bouncycastle - bcprov-jdk15on 1.60 | SONATYPE-2019-0673 | Vulnerability in the Dump class which we do not use |
org.elasticsearch_elasticsearch | Our current use of ElasticSearch does not expose ElasticSearch for external consumption. Therefore, vulnerabilities with ElasticSearch endpoints or network listeners are not applicable. Additionally, since ElasticSearch contents are not directly exposed, vulnerabilities related to document or field permissions issues are similarly not applicable. | |
org.hibernate.validator 6.1.0 | We are not using the SafeHtmlValidator anywhere in our code | |
org.quartz-scheduler 2.3.0 | This issue can only be invoked when using the quartz XMLSchedulingDataProcessor plugin. This is enabled via the quartz.properties file, the quartz.properties we ship with (default from the quartz jar) does not contain this plugin definition. | |
orientdb-core 2.2.36 | SONATYPE-2018-0677 | We're not using OZIPCompressionUtil.class and OFileManager.class directly in our source code. |
com.orientechnologies : orientdb-server | OrientDB embedded in Nexus Repository has server-side scripting disabled. | |
resteasy-jaxrs 3.1.3.Final | We do not use the CorsFilter or the default ExceptionMapper | |
org.bouncycastle:bcprov-jdk15to18 1.65 | SONATYPE-2020-0770 | We do not add any custom ciphers. SONATYPE-2020-0770 is an extension of CVE-2020-0187. However, both have the same root cause which is: |
apache shiro 1.6.0 | SONATYPE-2020-0297 | We set the security manager at start up only |
apache shiro 1.6.0 | SONATYPE-2016-0026 | We do not use the remember me functionality. |
apache shiro 1.6.0 | SONATYPE-2016-0702 | Shiro has not yet released a fix for this vulnerability, however we don't feel NXRM is susceptible as we don't utilize rememberme functionality. |
Google Guava | SONATYPE-2020-0926 | We do not use |
org.mybatis : mybatis : 3.5.5 | We do not used 2nd level cache. | |
org.sonatype.nexus.bundles.elasticsearch | Archive orientdb-community.zip is not part of NXRM distribution. | |
org.sonatype.nexus.bundles.elasticsearch | Our embedded Elastic Search is API disabled. | |
keycloak-services-11.0.0.jar | NXRM does not contain the vulnerable component. | |
com.fasterxml.jackson.dataformat : jackson-dataformat-cbor : 2.11.2 | The component is used transitively and isn't exposed to user input. | |
org.apache.velocity : velocity-engine-core : 2.2 | CVE-2020-13936 | Our Velocity Templates are immutable. |
jakarta.el : 3.0.3 | SONATYPE-2020-1438 | We do not enable expression languages for hibernate validator. |
org.apache.servicemix.bundles.not-yet-commons-ssl : 0.3.11_1 | The vulnerable classes are not used, and not reachable. | |
com.orientechnologies : orientdb-studio : zip : 2.2.37 | OrientDB Studio: This is only packaged as a convenience, it is not enabled and should only be enabled for troubleshooting purposes | |
groovy-all 2.4.17 | CVE-2020-17521 | We do not make use of Groovy's createTempDir |
resteasy 3.11.5 | CVE-2021-20289 | Fixed in RESTEasy 3.15.2, which is the one NXRM uses. |
org.apache.karaf.jaas : org.apache.karaf.jaas.modules 4.3.2 | SONATYPE-2012-0050 | This is a vulnerability in common-codec which karaf depends on but is not used in any NXRM code. |
org.apache.karaf.jaas : org.apache.karaf.jaas.modules 4.3.2 | SONATYPE-2014-0201 | The identTified vulnerabilities are in classes which we do not use in any of our code. |
org.apache.karaf :org.apache.karaf.client 4.3.2 | SONATYPE-2015-0286 | NXRM does not enable the console for clients. |
shiro-core 1.8.0 | SONATYPE-2016-0026 SONATYPE-2016-0702 | NXRM does not use the remember me functionality. |
orientdb-core 2.2.36 | SONATYPE-2018-0677 | Cannot be exploited since NXRM does not use the OZIPCompressionUtil or OFileManager classes. |
com.orientechnologies : orientdb-server : 2.2.36 | SONATYPE-2018-0706 | Nexus Repository does not use POST batch queries. |
org.bouncycastle : bcprov-jdk15to18 1.67 | SONATYPE-2019-0673 | Vulnerability in the Dump class which NXRM does not use. |
guava 30.1.1-jre | SONATYPE-2020-0926 | NXRM does not use guava's createTempDir. |
org.apache.tika : tika-core : 1.26 | CVE-2022-30126 | We do not use the affected handler class |