Security Advisories
| FIXED IN | ADVISORY | IMPACT |
|---|---|---|
| 3.29.0 | CVE-2020-29436 | A user with admin privileges can configure the system to gain access to content outside of NXRM via an XXE vulnerability. KB Article |
| 3.27.0 | CVE-2020-13933 | An unauthenticated user can submit a specially crafted HTTP request that may cause an authentication bypass. KB Article |
| 3.26.0 | CVE-2020-15868 | Access Control Bypass. The `executeChain` method in `SecurityFilter.class` incorrectly sanitizes the characters `.` and `/` from URL strings contained in client requests. A remote unauthenticated attacker could abuse this behavior by crafting a URL, adding it to a web request and sending it to the server to successfully access private resources without a previously authorized security context. |
| 3.25.1 | CVE-2020-15871 | Remote code execution vulnerability - If you have Helm enabled a user with the right permission can run arbitray code in the NXRM server. |
| 3.25.0 | CVE-2020-11023 | The jquery package is vulnerable to Cross-Site Scripting (XSS). Multiple jQuery files as listed below, improperly sanitize HTML input containing <option> tags. An attacker can exploit this vulnerability by passing crafted input to jQuery's DOM manipulation methods (e.g. .html(), .append(), etc.) to execute XSS attacks |
| 3.24 | CVE-2020-0187 | Dependency bouncy castle 1.60 - In engineSetMode of BaseBlockCipher.java, there is a possible incorrect cryptographic algorithm chosen due to an incomplete comparison. This could lead to local information disclosure with no additional execution privileges needed. |
| 3.22.1 | CVE-2020-11415 | Sensitive information disclosure (SID) - An attacker with administrative privileges can reconfigure the LDAP server in Nexus Repository Manager so that they can retrieve the credentials of the LDAP system user. |
| 3.22.0 | CVE-2020-11444 | Improper access controls - An authenticated user can craft requests in such a manner that configuration for other users in the system can be affected. |
| 3.21.2 | N/A | It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution. Scripting Disabled. |
| 3.21.2 | CVE-2017-18640 | Dependency snakeyaml 1.20: The Alias feature in snakeyaml allows entity expansion during a load operation |
| 3.21.2 | CVE-2018-16621 | This issue may lead to Remote Code execution by any low-privilege user. |
| 3.21.2 | CVE-2020-10203 | The identified vulnerability allows arbitrary JavaScript to run in a user’s browser in the context of the application. |
| 3.21.0 | CVE-2017-18640 | Dependency snakeyaml 1.18: The Alias feature in snakeyaml allows entity expansion during a load operation |
| 3.21.0 | CVE-2019-10219 | Dependency hibernate-validator:A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. |
| 3.20.0 | CVE-2019-17495 | Dependency swagger-ui-dist 3.22.0: A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. |
| 3.19.0 | CVE-2019-12402 | Dependency apache commons-compress: The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. |
| 3.19.0 | CVE-2019-16530 | Remote code execution (RCE) - An attacker with elevated privileges can upload a specially crafted file. That file can contain commands that will be executed on the system, with the same privileges as the user running the server. |
| 3.18.0 | CVE-2019-14469 | Remote code execution (RCE) - An attacker with elevated privileges can upload a specially crafted file. That file can contain commands that will be executed on the system, with the same privileges as the user running the server |
| 3.15.0 | CVE-2019-7238 | Insufficient access controls - An unauthenticated user can craft requests in a manner that can execute arbitrary code and programs on the host system. |
| 3.14.0 | CVE-2018-16619 | Multiple Cross-Site Scripting (XSS)- A remote attacker can execute arbitrary JavaScript within the context of the application. |
| 3.14.0 | CVE-2018-16620 | Insufficient access controls- An unauthenticated user can craft requests in such a manner that the responses can reveal other hosts and which ports they have open on the local network. |
| 3.14.0 | CVE-2018-16621 | Java Expression Language Injection - An attacker with administrative privileges can exploit this vulnerability to execute code on the server. |
| 3.12.0 | CVE-2018-12100 | Multiple Cross-Site Scripting (XSS) - A remote attacker can execute arbitrary JavaScript within the context of the application. |
| 3.8.0 | CVE-2018-5306 | Multiple Cross-Site Scripting (XSS) - A remote attacker can execute arbitrary JavaScript within the context of the application. |
Dependency Vulnerabilities with No Impact
Nexus Repository Manager also includes several third party libraries. Below is a list of vulnerabilities that may come up when you scan our application. We have listed the reasons we are not vulnerable.
| DEPENDENCY | ADVISORY | IMPACT ANALYSIS |
|---|---|---|
| org.apache.shiro 1.6.0 | CVE-2020-17523 | We do not utilize Spring, therefore are not exposed to the shiro vulnerability |
| com.h2database 1.4.200 | CVE-2018-14335 | We do not enable the web console or expose the Backup class from the running JVM. |
| com.hazelcast 3.10.3 | SONATYPE-2016-0449 CVE-2016-10740 | We have enabled the serialization filter after a fix was backported to 3.10 |
| com.thoughtworks.xstream 1.4.10 | CVE-2019-10173 CVE-2013-7285 | The vulnerability is only present when the security subsystem is not initialized. We initialize the security subsystem |
| commons-codec-1.10 | SONATYPE-2018-0677 | We are only using it in a single test class and have upgraded to use JRE's own Base64 implementation |
| commonmark 0.27.0 | SONATYPE-2019-0540 | As NXRM doesn't use react-commonmark so we are not vulnerable. |
| hibernate-validator 6.1.0.Final | CVE-2020-10693 | Not vulnerable because we use stripJavaEL() in HelperValidator |
| io.netty 3.10.6.Final | SONATYPE-2020-0103 | This vulnerability is only applicable if you are exposing netty's http handling. We do not use netty's http handling |
| jackson-databind 2.9.10.4 | Multiple | Vulnerability is only pertinent if the 'enableDefaultTyping' option is enabled, and NX3 does not enable this; furthermore it only applies to polymorphic types, which we don't use |
| jquery 3.3.1 | SONATYPE-2019-0115 | This vulnerability is reported to be used in the nexus-clm-plugin module which only has a single javascript file details.js. Which does not make use of the$extend vulnerability. |
org.apache.karaf 4.2.6 | SONATYPE-2012-0050 | This is a vulnerability in common-codec which karaf depends on but we do not use in any of our code. |
| org.apache.karaf.jaas 4.2.9 | SONATYPE-2014-0201 | The identified vulnerabilities are in classes which we do not use in any of our code. |
org.apache.karaf : 4.2.6 | SONATYPE-2015-0286 | This particular exploit requires access to the JVM memory and a specific configuration where you're using Karaf's internal security model - rather than our JAAS-Shiro integration which is what the current setup uses when you have the remote console enabled (local console is not an issue). |
org.apache.karaf.jaas.modules : 4.2.9 | CVE-2020-13956 | This requires access to the karaf console which would also require admin access to the server running NXRM. |
| org.apache.shiro-web 1.4.2 | CVE-2020-1957 | The vulnerability exploits endpoints that serve content with and without a trailing slash. Filters that are defined on a wildcard path '/*' are not affected by this. |
| org.bouncycastle - bcprov-jdk15on 1.60 | SONATYPE-2019-0673 | Vulnerability in the Dump class which we do not use |
| org.elasticsearch_elasticsearch | Our current use of ElasticSearch does not expose ElasticSearch for external consumption. Therefore, vulnerabilities with ElasticSearch endpoints or network listeners are not applicable. Additionally, since ElasticSearch contents are not directly exposed, vulnerabilities related to document or field permissions issues are similarly not applicable. | |
| org.hibernate.validator 6.1.0 | CVE-2019-10219 | We are not using the SafeHtmlValidator anywhere in our code |
| org.quartz-scheduler 2.3.0 | CVE-2019-13990 | This issue can only be invoked when using the quartz XMLSchedulingDataProcessor plugin. This is enabled via the quartz.properties file, the quartz.properties we ship with (default from the quartz jar) does not contain this plugin definition. |
| orientdb-core 2.2.36 | CVE-2020-6230 SONATYPE-2018-0677 | We're not using OZIPCompressionUtil.class and OFileManager.class directly in our source code. |
| resteasy-jaxrs 3.1.3.Final | We do not use the CorsFilter or the default ExceptionMapper | |
| org.bouncycastle:bcprov-jdk15to18 1.65 | SONATYPE-2020-0770 | We do not add any custom ciphers. SONATYPE-2020-0770 is an extension of CVE-2020-0187. However, both have the same root cause which is: |
| apache shiro 1.6.0 | SONATYPE-2020-0297 | We set the security manager at start up only |
| apache shiro 1.6.0 | SONATYPE-2016-0026 | We do not use the remember me functionality. |
| apache shiro 1.6.0 | SONATYPE-2016-0702 | See |
| orientdb-server 2.2.36 | SONATYPE-2018-0706 | We build the Orient server configuration programatically and we don't enable the OServerSideScriptInterpreter handler. |
| Google Guava | SONATYPE-2020-0926 | We do not use com.google.common.io.Files.createTempDir. |
| org.mybatis : mybatis : 3.5.5 | CVE-2020-26945 | We do not used 2nd level cache |
org.sonatype.nexus.bundles.elasticsearch | CVE-2017-12629 | Archive orientdb-community.zip is not part of NXRM distribution |
org.sonatype.nexus.bundles.elasticsearch | CVE-2018-3831 | Our embedded Elastic Search has API disabled |
| keycloak-services-11.0.0.jar | NXRM does not contain the vulnerable component. | |
| com.fasterxml.jackson.dataformat : jackson-dataformat-cbor : 2.11.2 | CVE-2020-28491 | The component is used transitively and isn't exposed to user input. |
org.apache.velocity : velocity-engine-core : 2.2 | CVE-2020-13936 | Our Velocity Templates are immutable. |