Security Advisories
| FIXED IN | ADVISORY | IMPACT |
|---|---|---|
| 3.22.1 | CVE-2020-11415 | Sensitive information disclosure (SID) - An attacker with administrative privileges can reconfigure the LDAP server in Nexus Repository Manager so that they can retrieve the credentials of the LDAP system user. |
| 3.22.0 | CVE-2020-11444 | Improper access controls - An authenticated user can craft requests in such a manner that configuration for other users in the system can be affected. |
| 3.21.2 | N/A | It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution. Scripting Disabled. |
| 3.21.2 | CVE-2017-18640 | Dependency snakeyaml 1.20: The Alias feature in snakeyaml allows entity expansion during a load operation |
| 3.21.2 | CVE-2018-16621 | This issue may lead to Remote Code execution by any low-privilege user. |
| 3.21.2 | CVE-2020-10203 | The identified vulnerability allows arbitrary JavaScript to run in a user’s browser in the context of the application. |
| 3.21.0 | CVE-2017-18640 | Dependency snakeyaml 1.18: The Alias feature in snakeyaml allows entity expansion during a load operation |
| 3.21.0 | CVE-2019-10219 | Dependency hibernate-validator:A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. |
| 3.20.0 | CVE-2019-17495 | Dependency swagger-ui-dist 3.22.0: A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. |
| 3.19.0 | CVE-2019-12402 | Dependency apache commons-compress: The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. |
| 3.19.0 | CVE-2019-16530 | Remote code execution (RCE) - An attacker with elevated privileges can upload a specially crafted file. That file can contain commands that will be executed on the system, with the same privileges as the user running the server. |
| 3.18.0 | CVE-2019-14469 | Remote code execution (RCE) - An attacker with elevated privileges can upload a specially crafted file. That file can contain commands that will be executed on the system, with the same privileges as the user running the server |
| 3.15.0 | CVE-2019-7238 | Insufficient access controls - An unauthenticated user can craft requests in a manner that can execute arbitrary code and programs on the host system. |
| 3.14.0 | CVE-2018-16619 | Multiple Cross-Site Scripting (XSS)- A remote attacker can execute arbitrary JavaScript within the context of the application. |
| 3.14.0 | CVE-2018-16620 | Insufficient access controls- An unauthenticated user can craft requests in such a manner that the responses can reveal other hosts and which ports they have open on the local network. |
| 3.14.0 | CVE-2018-16621 | Java Expression Language Injection - An attacker with administrative privileges can exploit this vulnerability to execute code on the server. |
| 3.12.0 | CVE-2018-12100 | Multiple Cross-Site Scripting (XSS) - A remote attacker can execute arbitrary JavaScript within the context of the application. |
| 3.8.0 | CVE-2018-5306 | Multiple Cross-Site Scripting (XSS) - A remote attacker can execute arbitrary JavaScript within the context of the application. |
Dependency Vulnerabilities
Nexus Repository Manager also includes several third party libraries. Below is a list of vulnerabilities that may come up when you scan our application. We have listed the reasons we are not vulnerable.
| DEPENDENCY | ADVISORY | IMPACT ANALYSIS |
|---|---|---|
| com.h2database 1.4.199 | CVE-2018-14335 | We do not enable the web console or expose the Backup class from the running JVM. |
| com.hazelcast 3.10.3 | SONATYPE-2016-0449 | We have enabled the serialization filter after a fix was backported to 3.10 |
| com.thoughtworks.xstream 1.4.10 | CVE-2019-10173 CVE-2013-7285 | The vulnerability is only present when the security subsystem is not initialized. We initialize the security subsystem |
| commons-codec-1.10 | SONATYPE-2018-0677 | We are only using it in a single test class and have upgraded to use JRE's own Base64 implementation |
| commonmark 0.27.0 | SONATYPE-2019-0540 | As NXRM doesn't use react-commonmark so we are not vulnerable. |
| hibernate-validator 6.1.0.Final | CVE-2020-10693 | Not vulnerable because we use stripJavaEL() in HelperValidator |
| io.netty 3.10.6.Final | SONATYPE-2020-0103 | This vulnerability is only applicable if you are exposing netty's http handling. We do not use netty's http handling |
| jackson-databind 2.9.10.4 | Multiple | Vulnerability is only pertinent if the 'enableDefaultTyping' option is enabled, and NX3 does not enable this; furthermore it only applies to polymorphic types, which we don't use |
| jquery 3.3.1 | SONATYPE-2019-0115 | This vulnerability is reported to be used in the nexus-clm-plugin module which only has a single javascript file details.js. Which does not make use of the$extend vulnerability. |
| org.apache.karaf 4.2.6 | SONATYPE-2012-0050 | This is a vulnerability in common-codec which karaf depends on but we do not use in any of our code. |
org.apache.karaf : 4.2.6 | SONATYPE-2015-0286 | This particular exploit requires access to the JVM memory and a specific configuration where you're using Karaf's internal security model - rather than our JAAS-Shiro integration which is what the current setup uses when you have the remote console enabled (local console is not an issue). |
| org.apache.shiro-web 1.4.2 | CVE-2020-1957 | The vulnerability exploits endpoints that serve content with and without a trailing slash. Filters that are defined on a wildcard path '/*' are not affected by this. |
| org.bouncycastle - bcprov-jdk15on 1.60 | SONATYPE-2019-0673 | Vulnerability in the Dump class which we do not use |
| org.hibernate.validator 6.1.0 | CVE-2019-10219 | We are not using the SafeHtmlValidator anywhere in our code |
| org.quartz-scheduler 2.3.0 | CVE-2019-13990 | This issue can only be invoked when using the quartz XMLSchedulingDataProcessor plugin. This is enabled via the quartz.properties file, the quartz.properties we ship with (default from the quartz jar) does not contain this plugin definition. |
| orientdb-core 2.2.36 | CVE-2020-6230 SONATYPE-2018-0677 | We're not using OZIPCompressionUtil.class and OFileManager.class directly in our source code. |
| resteasy-jaxrs 3.1.3.Final | We do not use the CorsFilter or the default ExceptionMapper |