Main Vulnerability Database SB2019070820

SB2019070820 - Multiple vulnerabilities in Sonatype Nexus Repository Manager

Published: July 8, 2019 Updated: July 26, 2019

Security Bulletin ID SB2019070820

Severity

High

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Default administrative credentials (CVE-ID: CVE-2019-9629)

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to software uses default weak administrative credentials. A remote attacker with knowledge of default credentials can compromise the application.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-9630)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to software uses weak security policy by default that allows all unauthenticated users to read files and images on the repository. A remote non-authenticated attacker can gain access to sensitive information.

Remediation

Install update from vendor's website.

References

https://www.twistlock.com/labs-blog/vulnerabilities-nexus-repository-left-thousands-artifacts-exposed/