Vulnerability identifier: #VU19395
Vulnerability risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Nexus Repository Manager
Server applications /
Other server solutions
Vendor: Sonatype Inc.
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software uses weak security policy by default that allows all unauthenticated users to read files and images on the repository. A remote non-authenticated attacker can gain access to sensitive information.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Nexus Repository Manager: 3.0.0-03 - 3.16.2-01
External links
http://www.twistlock.com/labs-blog/vulnerabilities-nexus-repository-left-thousands-artifacts-exposed/
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.