An XML External Entities (XXE) injection vulnerability has been discovered in Nexus Repository Manager requiring immediate action. The vulnerability allows an attacker with an administrative account in NXRM to configure the system in a way that allows them to view files on the filesystem, and to interact with any back-end or external systems that NXRM can access. We have mitigated the issue by no longer allowing the XML parsing library to process these external entities. This advisory provides the pertinent information needed to properly address this vulnerability, along with the details on how to reach us if you have any further questions or concerns.
- Nexus Repository Manager 3 <=3.28.1
- Nexus Repository Manager 3 version 3.29.0