CVE-2020-10199: Nexus Repository Manager Remote Code Execution Alert

Sonatype Security Team officially issued security advisories to fix remote code execution vulnerability (CVE-2020-10199) in Nexus Repository Manager 3.x.

Nexus is a repository manager, and acts as a staging repository which “intercepts” artifacts uploaded by mvn deploy.

Thus artifacts can be safely deployed to Nexus as part of voting on a release. The vote takes place on the staged artifacts. If the vote succeeds, the artifacts can be promoted to the live repository. If it fails, the artifacts can be deleted, and the process can restart.

CVE-2019-5475

Image: sonatype

“The vulnerability allows for an attacker with any type of account on NXRM to execute arbitrary code by crafting a malicious request to NXRM.”

Affected version

  • All previous Nexus Repository Manager 3.x OSS/Pro versions up to and including 3.21.1

Solution

Update Nexus Repository Manager to version 3.21.2.