Service Notices
Nexus Repository Manager Remote Code Execution Vulnerability (CVE-2020-15871)
Aug 07, 2020 GMT+08:00
I. Overview
Sonatype security team has officially released a security notice that disclosed a remote code execution vulnerability (CVE-2020-15871) in versions earlier than Nexus Repository Manager 3.25.0. Attackers with certain permissions can run arbitrary code as they are running the Nexus Repository Manager server. Alternatively, attackers can trick a user with the right permissions into running arbitrary code when running the Nexus Repository Manager server.
If you are a Nexus Repository Manager user, check your system and implement timely security hardening.
Reference link:
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
Nexus Repository Manager OSS/Pro 3.x versions earlier than 3.25.0
Secure version:
Nexus Repository Manager OSS/Pro 3.25.1 or later
IV. Vulnerability Handling
This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.
Download link: https://help.sonatype.com/repomanager3/download/
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.