I. Overview

Sonatype security team has officially released a security notice that disclosed a remote code execution vulnerability (CVE-2020-15871) in versions earlier than Nexus Repository Manager 3.25.0. Attackers with certain permissions can run arbitrary code as they are running the Nexus Repository Manager server. Alternatively, attackers can trick a user with the right permissions into running arbitrary code when running the Nexus Repository Manager server.

If you are a Nexus Repository Manager user, check your system and implement timely security hardening.

Reference link:

https://support.sonatype.com/hc/en-us/articles/360052192693-CVE-2020-15871-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-07-29

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Nexus Repository Manager OSS/Pro 3.x versions earlier than 3.25.0

Secure version:

Nexus Repository Manager OSS/Pro 3.25.1 or later

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

Download link: https://help.sonatype.com/repomanager3/download/

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.