Security Advisories

Resolved Vulnerabilities

FIXED INADVISORYIMPACT
3.34.0CVE-2021-40143An unauthenticated attacker may disclose sensitive information or request external resources from the vulnerable instance by sending a specially crafted HTTP request. Knowledge Base Article
3.33.0CVE-2021-37152An authenticated attacker with the ability to add HTML files to a repository could redirect users to Nexus Repository Manager's pages with code modifications. Knowledge Base Article
3.31.0CVE-2021-34553An authenticated attacker can get a list of blob files and read the content of a blob file (via a crafted GET request) without having been granted access. Knowledge Base Article
3.30.1CVE-2021-30635An unauthenticated user can submit a crafted HTTP request to get a list of files and directories that exist in Nexus Repository’s webroot. Knowledge Base Article

3.30.1

CVE-2021-29158An authenticated user can potentially retrieve the user token of a minute subset of other users in the system. Knowledge Base Article
3.30.1CVE-2021-29159An authenticated local user can store an XSS which when viewed executes arbitrary JavaScript within the context of the application.
3.29.0CVE-2020-29436A user with admin privileges can configure the system to gain access to content outside of NXRM via an XXE (XML External Entity) vulnerability. Knowledge Base Article
3.27.0CVE-2020-13933An unauthenticated user can submit a specially crafted HTTP request that may cause an authentication bypass. Knowledge Base Article
3.26.0CVE-2020-15868A remote unauthenticated attacker could send a request to the server to successfully access private resources without the required security context.
3.25.1CVE-2020-15871A user with the right permission can run arbitray code on the NXRM server.
3.25.0CVE-2020-11023

The jQuery package is vulnerable to Cross-Site Scripting (XSS).

3.24CVE-2020-0187Dependency bouncy castle 1.60: Information disclosure is possible with no additional execution privileges needed.
3.22.1CVE-2020-11415Sensitive information disclosure (SID) - An attacker with administrative privileges can configure such that they cna retrieve the credentials of external LDAP users.
3.22.0CVE-2020-11444Improper access controls - An authenticated user can craft requests in such a manner that configuration for other users in the system can be affected.
3.21.2N/AIt is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution. Scripting disabled and no longer recommended or supported.
3.21.2CVE-2017-18640Dependency snakeyaml 1.20: The Alias feature in snakeyaml allows entity expansion during a load operation.
3.21.2CVE-2018-16621This issue may lead to Remote Code execution by any low-privilege user.
3.21.2CVE-2020-10203The identified vulnerability allows arbitrary JavaScript to run in a user’s browser in the context of the application. 
3.21.0CVE-2017-18640Dependency snakeyaml 1.18The Alias feature in snakeyaml allows entity expansion during a load operation.
3.21.0CVE-2019-10219 Dependency hibernate-validator: Some payloads are improperly sanitized allowing potentially malicious code in HTML comments and instructions.
3.20.0CVE-2019-17495Dependency swagger-ui-dist 3.22.0Attackers can use a Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. 
3.19.0CVE-2019-12402Dependency apache commons-compress: The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This makes a denial of service attack possible.
3.19.0CVE-2019-16530Remote code execution (RCE) - An attacker with elevated privileges can upload a specially crafted file. That file can contain commands that will be executed on the system, with the same privileges as the user running the server.
3.18.0CVE-2019-14469Remote code execution (RCE) - An attacker with elevated privileges can upload a specially crafted file. That file can contain commands that will be executed on the system, with the same privileges as the user running the server.
3.15.0CVE-2019-7238Insufficient access controls - An unauthenticated user can craft requests in a manner that can execute arbitrary code and programs on the host system.
3.14.0CVE-2018-16619Multiple Cross-Site Scripting (XSS)- A remote attacker can execute arbitrary JavaScript within the context of the application. 
3.14.0CVE-2018-16620 Insufficient access controls- An unauthenticated user can craft requests in such a manner that the responses can reveal other hosts and which ports they have open on the local network.
3.14.0CVE-2018-16621Java Expression Language Injection - An attacker with administrative privileges can exploit this vulnerability to execute code on the server.
3.12.0CVE-2018-12100Multiple Cross-Site Scripting (XSS) - A remote attacker can execute arbitrary JavaScript within the context of the application.
3.8.0CVE-2018-5306Multiple Cross-Site Scripting (XSS) - A remote attacker can execute arbitrary JavaScript within the context of the application.

Dependency Vulnerabilities with No Impact

Nexus Repository Manager also includes several third party libraries.  Below is a list of vulnerabilities that may come up when you scan our application.  We have listed the reasons we are not vulnerable.  

DEPENDENCYADVISORYIMPACT ANALYSIS
org.apache.shiro 1.6.0CVE-2020-17523We do not utilize Spring, therefore are not exposed to the shiro vulnerability
com.h2database 1.4.200CVE-2018-14335We do not enable the web console or expose the Backup class from the running JVM. 
com.hazelcast 3.10.3

SONATYPE-2016-0449

CVE-2016-10740

We have enabled the serialization filter after a fix was backported to 3.10
com.thoughtworks.xstream 1.4.10

CVE-2019-10173

CVE-2013-7285

The vulnerability is only present when the security subsystem is not initialized. We initialize the security subsystem
commons-codec-1.10SONATYPE-2018-0677

We are only using it in a single test class and have upgraded to use JRE's own Base64 implementation

commonmark 0.27.0SONATYPE-2019-0540As NXRM doesn't use react-commonmark so we are not vulnerable.
hibernate-validator 6.1.0.FinalCVE-2020-10693Not vulnerable because we use  stripJavaEL() in HelperValidator
io.netty 3.10.6.Final

SONATYPE-2020-0103

SONATYPE-2020-0029

CVE-2019-20444

CVE-2019-20445

CVE-2019-16869

This vulnerability is only applicable if you are exposing netty's http handling. We do not use netty's http handling.
jackson-databind 2.9.10.4MultipleVulnerability is only pertinent if the 'enableDefaultTyping' option is enabled, and NX3 does not enable this; furthermore it only applies to polymorphic types, which we don't use
jquery 3.3.1SONATYPE-2019-0115This vulnerability is reported to be used in the nexus-clm-plugin module which only has a single javascript file details.js. Which does not make use of the$extend vulnerability.

org.apache.karaf  4.2.6

SONATYPE-2012-0050

This is a vulnerability in common-codec which karaf depends on but we do not use in any of our code.
org.apache.karaf.jaas 4.2.9SONATYPE-2014-0201The identified vulnerabilities are in classes which we do not use in any of our code.


org.apache.karaf :  4.2.6

SONATYPE-2015-0286This particular exploit requires access to the JVM memory and a specific configuration where you're using Karaf's internal security model - rather than our JAAS-Shiro integration which is what the current setup uses when you have the remote console enabled (local console is not an issue).

org.apache.karaf.jaas.modules : 4.2.9

CVE-2020-13956This requires access to the karaf console which would also require admin access to the server running NXRM.
org.apache.shiro-web 1.4.2CVE-2020-1957The vulnerability exploits endpoints that serve content with and without a trailing slash. Filters that are defined on a wildcard path '/*' are not affected by this.
org.bouncycastle - bcprov-jdk15on 1.60SONATYPE-2019-0673Vulnerability in the Dump class which we do not use
org.elasticsearch_elasticsearch

CVE-2019-16869

CVE-2019-7611

CVE-2020-7020

CVE-2020-7019

CVE-2019-7614

Our current use of ElasticSearch does not expose ElasticSearch for external consumption. Therefore, vulnerabilities with ElasticSearch endpoints or network listeners are not applicable. Additionally, since ElasticSearch contents are not directly exposed, vulnerabilities related to document or field permissions issues are similarly not applicable. 
org.hibernate.validator 6.1.0CVE-2019-10219We are not using the SafeHtmlValidator anywhere in our code
org.quartz-scheduler 2.3.0CVE-2019-13990This issue can only be invoked when using the quartz XMLSchedulingDataProcessor plugin. This is enabled via the quartz.properties file, the quartz.properties we ship with (default from the quartz jar) does not contain this plugin definition.
orientdb-core 2.2.36

CVE-2020-6230

SONATYPE-2018-0677

We're not using OZIPCompressionUtil.class and OFileManager.class directly in our source code.

resteasy-jaxrs 3.1.3.Final

CVE-2017-7561

CVE-2016-6347

We do not use the CorsFilter or the default ExceptionMapper
org.bouncycastle:bcprov-jdk15to18 1.65

CVE-2020-0187

SONATYPE-2020-0770

We do not add any custom ciphers. SONATYPE-2020-0770 is an extension of CVE-2020-0187. However, both have the same root cause which is: bcprov-jdk15to18-1.65.jarorg/bouncycastle/jcajce/provider/symmetric/util/BaseBlockCipher.class and since we do not add any custom ciphers we are not vulnerable to either.

apache shiro 1.6.0SONATYPE-2020-0297We set the security manager at start up only
apache shiro 1.6.0SONATYPE-2016-0026We do not use the remember me functionality. 
apache shiro 1.6.0SONATYPE-2016-0702

Shiro has not yet released a fix for this vulnerability, however we don't feel NXRM is susceptible as we don't utilize rememberme functionality.

orientdb-server 2.2.36SONATYPE-2018-0706

We build the Orient server configuration programatically and we don't enable the OServerSideScriptInterpreter handler.

Google GuavaSONATYPE-2020-0926We do not use com.google.common.io.Files.createTempDir.
org.mybatis : mybatis : 3.5.5CVE-2020-26945We do not used 2nd level cache.

org.sonatype.nexus.bundles.elasticsearch

CVE-2017-12629Archive orientdb-community.zip is not part of NXRM distribution.

org.sonatype.nexus.bundles.elasticsearch

CVE-2018-3831Our embedded Elastic Search is API disabled.
keycloak-services-11.0.0.jar

CVE-2020-10776

CVE-2020-14366

CVE-2020-14389


NXRM does not contain the vulnerable component.
com.fasterxml.jackson.dataformat : jackson-dataformat-cbor : 2.11.2CVE-2020-28491The component is used transitively and isn't exposed to user input.

org.apache.velocity : velocity-engine-core : 2.2

CVE-2020-13936Our Velocity Templates are immutable.
jakarta.el : 3.0.3

SONATYPE-2020-1438

GHSL-2020-021

We do not enable expression languages for hibernate validator.
org.apache.servicemix.bundles.not-yet-commons-ssl : 0.3.11_1CVE-2014-3604The vulnerable classes are not used, and not reachable .