October 24, 2020

CVE-2020-13933: Nexus Repository Manager 2 & 3 – Shiro Authentication Bypass Vulnerability Alert

1 min read

Nexus is a repository manager, and acts as a staging repository which “intercepts” artifacts uploaded by mvn deploy.

Thus artifacts can be safely deployed to Nexus as part of voting on a release. The vote takes place on the staged artifacts. If the vote succeeds, the artifacts can be promoted to the live repository. If it fails, the artifacts can be deleted, and the process can restart.

On October 15, 2020, Sonatype officially released the Nexus Repository Manager 2 & 3 verification bypass vulnerability risk notice (CVE-2020-13933), vulnerability level is a high risk. The vulnerability score is 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Unauthenticated users can submit specially crafted HTTP requests, which may cause authentication to be bypassed.

CVE-2019-5475
Image: sonatype

Affected version

  • Nexus Repository Manager 2 versions up to and including 2.14.18
  • Nexus Repository Manager 3 versions up to and including 3.26.1

Unaffected version:

  • Nexus Repository Manager 2 versions 2.14.19 and later
  • Nexus Repository Manager 3 versions 3.27.0 and later

Solution

In this regard, we recommend that users upgrade Nexus Repository Manager 2 & 3 to the latest version in time.