Risk | High |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2019-9629 CVE-2019-9630 |
CWE-ID | CWE-255 CWE-264 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Nexus Repository Manager Server applications / Other server solutions |
Vendor | Sonatype Inc. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU19393
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-9629
CWE-ID:
CWE-255 - Credentials Management
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to software uses default weak administrative credentials. A remote attacker with knowledge of default credentials can compromise the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsNexus Repository Manager: 3.0.0-03 - 3.16.2-01
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU19395
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-9630
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software uses weak security policy by default that allows all unauthenticated users to read files and images on the repository. A remote non-authenticated attacker can gain access to sensitive information.
Install updates from vendor's website.
Vulnerable software versionsNexus Repository Manager: 3.0.0-03 - 3.16.2-01
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.