Permissions, Privileges, and Access Controls in Nexus Repository Manager

#VU19395 Permissions, Privileges, and Access Controls in Nexus Repository Manager

Published: 2019-07-26

Vulnerability identifier: #VU19395

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-9630

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Nexus Repository Manager
Server applications / Other server solutions

Vendor: Sonatype Inc.

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to software uses weak security policy by default that allows all unauthenticated users to read files and images on the repository. A remote non-authenticated attacker can gain access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Nexus Repository Manager: 3.0.0-03 - 3.16.2-01

External links
http://www.twistlock.com/labs-blog/vulnerabilities-nexus-repository-left-thousands-artifacts-exposed/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Sonatype Nexus Repository Manager