Repository Security Vulnerabilities

As with most modern software applications, Nexus Repository incorporates a number of open source components as dependencies. Nexus Lifecycle’s continuous monitoring capabilities regularly detect vulnerabilities in these components.

These may or may not be exploitable, depending upon both the nature of the vulnerability and how the components are used within Nexus Repository. However, we consider all dependency vulnerabilities to bepotentially exploitablebecause of attack techniques such as vulnerability chaining. Therefore, our development teams upgrade the component to a non-vulnerable version as soon as one is available. We make these upgrades available to our customers and users in later releases of Nexus Repository.

To benefit from this ongoing risk mitigation, we recommend our customers and users regularly update their Nexus Repository instances to the most recent version.

If you have concerns about a dependency vulnerability with unknown exploitability, we can confirm whether we are aware of it and that it is queued for remediation as part of our normal development process.

For the protection of our customers and users, we do not disclose the exploitability of suspected vulnerabilities before they are remediated and an upgraded version of Nexus Repository is released.

You can subscribe to announcements of new releases and exploitable security vulnerabilities by signing up for the Nexus Repository Pro announcements Google group.