Security Advisories

FIXED INADVISORYIMPACT
3.29.0CVE-2020-29436A user with admin privileges can configure the system to gain access to content outside of NXRM via an XXE vulnerability. KB Article
3.27.0CVE-2020-13933An unauthenticated user can submit a specially crafted HTTP request that may cause an authentication bypass.  KB Article
3.26.0CVE-2020-15868Access Control Bypass. The `executeChain` method in `SecurityFilter.class` incorrectly sanitizes the characters `.` and `/` from URL strings contained in client requests. A remote unauthenticated attacker could abuse this behavior by crafting a URL, adding it to a web request and sending it to the server to successfully access private resources without a previously authorized security context.
3.25.1CVE-2020-15871Remote code execution vulnerability - If you have Helm enabled a user with the right permission can run arbitray code in the NXRM server.
3.25.0CVE-2020-11023

The jquery package is vulnerable to Cross-Site Scripting (XSS). Multiple jQuery files as listed below, improperly sanitize HTML input containing <option> tags. An attacker can exploit this vulnerability by passing crafted input to jQuery's DOM manipulation methods (e.g. .html(), .append(), etc.) to execute XSS attacks

3.24CVE-2020-0187Dependency bouncy castle 1.60 - In engineSetMode of BaseBlockCipher.java, there is a possible incorrect cryptographic algorithm chosen due to an incomplete comparison. This could lead to local information disclosure with no additional execution privileges needed.
3.22.1CVE-2020-11415Sensitive information disclosure (SID) - An attacker with administrative privileges can reconfigure the LDAP server in Nexus Repository Manager so that they can retrieve the credentials of the LDAP system user.
3.22.0CVE-2020-11444Improper access controls - An authenticated user can craft requests in such a manner that configuration for other users in the system can be affected.
3.21.2N/AIt is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution. Scripting Disabled.
3.21.2CVE-2017-18640Dependency snakeyaml 1.20: The Alias feature in snakeyaml allows entity expansion during a load operation
3.21.2CVE-2018-16621This issue may lead to Remote Code execution by any low-privilege user.
3.21.2CVE-2020-10203The identified vulnerability allows arbitrary JavaScript to run in a user’s browser in the context of the application. 
3.21.0CVE-2017-18640Dependency snakeyaml 1.18The Alias feature in snakeyaml allows entity expansion during a load operation
3.21.0CVE-2019-10219 Dependency hibernate-validator:A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. 
3.20.0CVE-2019-17495Dependency swagger-ui-dist 3.22.0:  A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. 
3.19.0CVE-2019-12402Dependency apache commons-compress: The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. 
3.19.0CVE-2019-16530Remote code execution (RCE) - An attacker with elevated privileges can upload a specially crafted file. That file can contain commands that will be executed on the system, with the same privileges as the user running the server.
3.18.0CVE-2019-14469Remote code execution (RCE) - An attacker with elevated privileges can upload a specially crafted file. That file can contain commands that will be executed on the system, with the same privileges as the user running the server
3.15.0CVE-2019-7238Insufficient access controls - An unauthenticated user can craft requests in a manner that can execute arbitrary code and programs on the host system.
3.14.0CVE-2018-16619Multiple Cross-Site Scripting (XSS)- A remote attacker can execute arbitrary JavaScript within the context of the application. 
3.14.0CVE-2018-16620 Insufficient access controls- An unauthenticated user can craft requests in such a manner that the responses can reveal other hosts and which ports they have open on the local network.
3.14.0CVE-2018-16621Java Expression Language Injection - An attacker with administrative privileges can exploit this vulnerability to execute code on the server.
3.12.0CVE-2018-12100Multiple Cross-Site Scripting (XSS) - A remote attacker can execute arbitrary JavaScript within the context of the application.
3.8.0CVE-2018-5306Multiple Cross-Site Scripting (XSS) - A remote attacker can execute arbitrary JavaScript within the context of the application.

Dependency Vulnerabilities with No Impact

Nexus Repository Manager also includes several third party libraries.  Below is a list of vulnerabilities that may come up when you scan our application.  We have listed the reasons we are not vulnerable.  

DEPENDENCYADVISORYIMPACT ANALYSIS
org.apache.shiro 1.6.0CVE-2020-17523We do not utilize Spring, therefore are not exposed to the shiro vulnerability
com.h2database 1.4.200CVE-2018-14335We do not enable the web console or expose the Backup class from the running JVM. 
com.hazelcast 3.10.3SONATYPE-2016-0449
CVE-2016-10740
We have enabled the serialization filter after a fix was backported to 3.10
com.thoughtworks.xstream 1.4.10CVE-2019-10173
CVE-2013-7285
The vulnerability is only present when the security subsystem is not initialized. We initialize the security subsystem
commons-codec-1.10SONATYPE-2018-0677

We are only using it in a single test class and have upgraded to use JRE's own Base64 implementation

commonmark 0.27.0SONATYPE-2019-0540As NXRM doesn't use react-commonmark so we are not vulnerable.
hibernate-validator 6.1.0.FinalCVE-2020-10693Not vulnerable because we use  stripJavaEL() in HelperValidator
io.netty 3.10.6.Final

SONATYPE-2020-0103
SONATYPE-2020-0029
CVE-2019-20444
CVE-2019-20445
CVE-2019-16869

This vulnerability is only applicable if you are exposing netty's http handling. We do not use netty's http handling
jackson-databind 2.9.10.4MultipleVulnerability is only pertinent if the 'enableDefaultTyping' option is enabled, and NX3 does not enable this; furthermore it only applies to polymorphic types, which we don't use
jquery 3.3.1SONATYPE-2019-0115This vulnerability is reported to be used in the nexus-clm-plugin module which only has a single javascript file details.js. Which does not make use of the$extend vulnerability.

org.apache.karaf  4.2.6

SONATYPE-2012-0050

This is a vulnerability in common-codec which karaf depends on but we do not use in any of our code.
org.apache.karaf.jaas 4.2.9SONATYPE-2014-0201The identified vulnerabilities are in classes which we do not use in any of our code.


org.apache.karaf :  4.2.6

SONATYPE-2015-0286This particular exploit requires access to the JVM memory and a specific configuration where you're using Karaf's internal security model - rather than our JAAS-Shiro integration which is what the current setup uses when you have the remote console enabled (local console is not an issue).

org.apache.karaf.jaas.modules : 4.2.9

CVE-2020-13956This requires access to the karaf console which would also require admin access to the server running NXRM.
org.apache.shiro-web 1.4.2CVE-2020-1957The vulnerability exploits endpoints that serve content with and without a trailing slash. Filters that are defined on a wildcard path '/*' are not affected by this.
org.bouncycastle - bcprov-jdk15on 1.60SONATYPE-2019-0673Vulnerability in the Dump class which we do not use
org.elasticsearch_elasticsearch

CVE-2019-16869

CVE-2019-7611

CVE-2020-7020

CVE-2020-7019

CVE-2019-7614

Our current use of ElasticSearch does not expose ElasticSearch for external consumption. Therefore, vulnerabilities with ElasticSearch endpoints or network listeners are not applicable. Additionally, since ElasticSearch contents are not directly exposed, vulnerabilities related to document or field permissions issues are similarly not applicable. 
org.hibernate.validator 6.1.0CVE-2019-10219We are not using the SafeHtmlValidator anywhere in our code
org.quartz-scheduler 2.3.0CVE-2019-13990This issue can only be invoked when using the quartz XMLSchedulingDataProcessor plugin. This is enabled via the quartz.properties file, the quartz.properties we ship with (default from the quartz jar) does not contain this plugin definition.
orientdb-core 2.2.36CVE-2020-6230
SONATYPE-2018-0677

We're not using OZIPCompressionUtil.class and OFileManager.class directly in our source code.

resteasy-jaxrs 3.1.3.Final

CVE-2017-7561

CVE-2016-6347

We do not use the CorsFilter or the default ExceptionMapper
org.bouncycastle:bcprov-jdk15to18 1.65

CVE-2020-0187

SONATYPE-2020-0770

We do not add any custom ciphers. SONATYPE-2020-0770 is an extension of CVE-2020-0187. However, both have the same root cause which is: bcprov-jdk15to18-1.65.jarorg/bouncycastle/jcajce/provider/symmetric/util/BaseBlockCipher.class and since we do not add any custom ciphers we are not vulnerable to either.

apache shiro 1.6.0SONATYPE-2020-0297We set the security manager at start up only
apache shiro 1.6.0SONATYPE-2016-0026We do not use the remember me functionality. 
apache shiro 1.6.0SONATYPE-2016-0702

See  NEXUS-25168 - Jira project doesn't exist or you don't have permission to view it. NEXUS-25168 - Jira project doesn't exist or you don't have permission to view it.

orientdb-server 2.2.36SONATYPE-2018-0706

We build the Orient server configuration programatically and we don't enable the OServerSideScriptInterpreter handler.

Google GuavaSONATYPE-2020-0926We do not use com.google.common.io.Files.createTempDir.
org.mybatis : mybatis : 3.5.5CVE-2020-26945We do not used 2nd level cache

org.sonatype.nexus.bundles.elasticsearch

CVE-2017-12629Archive orientdb-community.zip is not part of NXRM distribution

org.sonatype.nexus.bundles.elasticsearch

CVE-2018-3831Our embedded Elastic Search has API disabled
keycloak-services-11.0.0.jar

CVE-2020-10776

CVE-2020-14366

CVE-2020-14389


NXRM does not contain the vulnerable component.
com.fasterxml.jackson.dataformat : jackson-dataformat-cbor : 2.11.2CVE-2020-28491The component is used transitively and isn't exposed to user input.

org.apache.velocity : velocity-engine-core : 2.2

CVE-2020-13936Our Velocity Templates are immutable.