Service Notices

All Notices > Security Notices > Nexus Repository Manager 2 & 3 – Shiro Authentication Bypass

Nexus Repository Manager 2 & 3 – Shiro Authentication Bypass

Oct 19, 2020 GMT+08:00

I. Overview

Sonatype has officially disclosed the authentication bypass vulnerability (CVE-2020-13933) in Apache Shiro, affecting Nexus Repository Manager 2 and 3. When Nexus Repository Manager 2 or 3 uses Apache Shiro that has the authentication bypass vulnerability, unauthenticated users can submit specially crafted HTTP requests that may cause an authentication bypass that may further lead to malicious operations.

If you are using Nexus Repository Manager 2 or 3, check your system and implement timely security hardening.

References:

https://support.sonatype.com/hc/en-us/articles/360053556313-CVE-2020-13933-Nexus-Repository-Manger-2-3-Shiro-Authentication-Bypass?spm=a2c4g.11174386.n2.4.6cd010516kwQXa

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Nexus Repository Manager 2 versions earlier than 2.14.19

Nexus Repository Manager 3 versions earlier than 3.27.0

Secure versions:

Nexus Repository Manager 2 versions 2.14.19 and later

Nexus Repository Manager 3 versions 3.27.0 and later

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

Nexus Repository Manager 2 download address: https://help.sonatype.com/repomanager2/download

Nexus Repository Manager 3 download address: https://help.sonatype.com/repomanager3/download

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.