Security Advisories

FIXED INADVISORYIMPACT
3.22.1CVE-2020-11415Sensitive information disclosure (SID) - An attacker with administrative privileges can reconfigure the LDAP server in Nexus Repository Manager so that they can retrieve the credentials of the LDAP system user.
3.22.0CVE-2020-11444Improper access controls - An authenticated user can craft requests in such a manner that configuration for other users in the system can be affected.
3.21.2N/AIt is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution. Scripting Disabled.
3.21.2CVE-2017-18640Dependency snakeyaml 1.20: The Alias feature in snakeyaml allows entity expansion during a load operation
3.21.2CVE-2018-16621This issue may lead to Remote Code execution by any low-privilege user.
3.21.2CVE-2020-10203The identified vulnerability allows arbitrary JavaScript to run in a user’s browser in the context of the application. 
3.21.0CVE-2017-18640Dependency snakeyaml 1.18The Alias feature in snakeyaml allows entity expansion during a load operation
3.21.0CVE-2019-10219 Dependency hibernate-validator:A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. 
3.20.0CVE-2019-17495Dependency swagger-ui-dist 3.22.0:  A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. 
3.19.0CVE-2019-12402Dependency apache commons-compress: The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. 
3.19.0CVE-2019-16530Remote code execution (RCE) - An attacker with elevated privileges can upload a specially crafted file. That file can contain commands that will be executed on the system, with the same privileges as the user running the server.
3.18.0CVE-2019-14469Remote code execution (RCE) - An attacker with elevated privileges can upload a specially crafted file. That file can contain commands that will be executed on the system, with the same privileges as the user running the server
3.15.0CVE-2019-7238Insufficient access controls - An unauthenticated user can craft requests in a manner that can execute arbitrary code and programs on the host system.
3.14.0CVE-2018-16619Multiple Cross-Site Scripting (XSS)- A remote attacker can execute arbitrary JavaScript within the context of the application. 
3.14.0CVE-2018-16620 Insufficient access controls- An unauthenticated user can craft requests in such a manner that the responses can reveal other hosts and which ports they have open on the local network.
3.14.0CVE-2018-16621Java Expression Language Injection - An attacker with administrative privileges can exploit this vulnerability to execute code on the server.
3.12.0CVE-2018-12100Multiple Cross-Site Scripting (XSS) - A remote attacker can execute arbitrary JavaScript within the context of the application.
3.8.0CVE-2018-5306Multiple Cross-Site Scripting (XSS) - A remote attacker can execute arbitrary JavaScript within the context of the application.

Dependency Vulnerabilities

Nexus Repository Manager also includes several third party libraries.  Below is a list of vulnerabilities that may come up when you scan our application.  We have listed the reasons we are not vulnerable.  

DEPENDENCYADVISORYIMPACT ANALYSIS
com.h2database 1.4.199CVE-2018-14335We do not enable the web console or expose the Backup class from the running JVM. 
com.hazelcast 3.10.3SONATYPE-2016-0449We have enabled the serialization filter after a fix was backported to 3.10
com.thoughtworks.xstream 1.4.10CVE-2019-10173
CVE-2013-7285
The vulnerability is only present when the security subsystem is not initialized. We initialize the security subsystem
commons-codec-1.10SONATYPE-2018-0677

We are only using it in a single test class and have upgraded to use JRE's own Base64 implementation

commonmark 0.27.0SONATYPE-2019-0540As NXRM doesn't use react-commonmark so we are not vulnerable.
hibernate-validator 6.1.0.FinalCVE-2020-10693Not vulnerable because we use  stripJavaEL() in HelperValidator
io.netty 3.10.6.Final

SONATYPE-2020-0103
SONATYPE-2020-0029
CVE-2019-20445
CVE-2019-16869

This vulnerability is only applicable if you are exposing netty's http handling. We do not use netty's http handling
jackson-databind 2.9.10.4MultipleVulnerability is only pertinent if the 'enableDefaultTyping' option is enabled, and NX3 does not enable this; furthermore it only applies to polymorphic types, which we don't use
jquery 3.3.1SONATYPE-2019-0115This vulnerability is reported to be used in the nexus-clm-plugin module which only has a single javascript file details.js. Which does not make use of the$extend vulnerability.
org.apache.karaf  4.2.6SONATYPE-2012-0050This is a vulnerability in common-codec which karaf depends on but we do not use in any of our code.


org.apache.karaf :  4.2.6

SONATYPE-2015-0286This particular exploit requires access to the JVM memory and a specific configuration where you're using Karaf's internal security model - rather than our JAAS-Shiro integration which is what the current setup uses when you have the remote console enabled (local console is not an issue).
org.apache.shiro-web 1.4.2CVE-2020-1957The vulnerability exploits endpoints that serve content with and without a trailing slash. Filters that are defined on a wildcard path '/*' are not affected by this.
org.bouncycastle - bcprov-jdk15on 1.60SONATYPE-2019-0673Vulnerability in the Dump class which we do not use
org.hibernate.validator 6.1.0CVE-2019-10219We are not using the SafeHtmlValidator anywhere in our code
org.quartz-scheduler 2.3.0CVE-2019-13990This issue can only be invoked when using the quartz XMLSchedulingDataProcessor plugin. This is enabled via the quartz.properties file, the quartz.properties we ship with (default from the quartz jar) does not contain this plugin definition.
orientdb-core 2.2.36CVE-2020-6230
SONATYPE-2018-0677

We're not using OZIPCompressionUtil.class and OFileManager.class directly in our source code.

resteasy-jaxrs 3.1.3.Final

CVE-2017-7561

CVE-2016-6347

We do not use the CorsFilter or the default ExceptionMapper