CVE-2020-29436: Nexus Repository Manager 3 – XML External Entities Injection Vulnerability Alert

CVE-2020-29436: Nexus Repository Manager 3 – XML External Entities Injection Vulnerability Alert

On December 15, 2020, Nexus Repository Manager 3 issued a risk notice for the Nexus Repository Manager 3 XML External Entities Injection Vulnerability. The vulnerability number is CVE-2020-29436. The vulnerability level is high risk. A remote attacker with administrator authority can cause XML external entity injection by constructing a specific XML request.
CVE-2019-5475
Image: sonatype

Vulnerability Detail

An XML External Entities (XXE) injection vulnerability has been discovered in Nexus Repository Manager requiring immediate action. The vulnerability allows an attacker with an administrative account in NXRM to configure the system in a way that allows them to view files on the filesystem, and to interact with any back-end or external systems that NXRM can access. We have mitigated the issue by no longer allowing the XML parsing library to process these external entities. This advisory provides the pertinent information needed to properly address this vulnerability, along with the details on how to reach us if you have any further questions or concerns.

Affected version

  • Nexus Repository Manager 3 <=3.28.1

Unaffected version

  • Nexus Repository Manager 3 version 3.29.0

Solution

In this regard, we recommend that users upgrade Nexus Repository Manager 3 to the latest version in time.