Service Notices
Nexus Repository Manager 2 & 3 – Shiro Authentication Bypass
Oct 19, 2020 GMT+08:00
I. Overview
Sonatype has officially disclosed the authentication bypass vulnerability (CVE-2020-13933) in Apache Shiro, affecting Nexus Repository Manager 2 and 3. When Nexus Repository Manager 2 or 3 uses Apache Shiro that has the authentication bypass vulnerability, unauthenticated users can submit specially crafted HTTP requests that may cause an authentication bypass that may further lead to malicious operations.
If you are using Nexus Repository Manager 2 or 3, check your system and implement timely security hardening.
References:
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
Nexus Repository Manager 2 versions earlier than 2.14.19
Nexus Repository Manager 3 versions earlier than 3.27.0
Secure versions:
Nexus Repository Manager 2 versions 2.14.19 and later
Nexus Repository Manager 3 versions 3.27.0 and later
IV. Vulnerability Handling
This vulnerability has been fixed in the latest official versions. If your service version falls into the affected range, upgrade it to a latest secure version.
Nexus Repository Manager 2 download address: https://help.sonatype.com/repomanager2/download
Nexus Repository Manager 3 download address: https://help.sonatype.com/repomanager3/download
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.