Nexus Repository Manager OSS/Pro
by Sonatype
CVEs (34)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-7238 | Cri | 0.75 | 9.8 | 0.77 | KEV | Mar 21, 2019 | Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control. | |
| CVE-2019-9629 | Cri | 0.64 | 9.8 | 0.01 | Jul 8, 2019 | Sonatype Nexus Repository Manager before 3.17.0 establishes a default administrator user with weak defaults (fixed credentials). | ||
| CVE-2017-17717 | Cri | 0.64 | 9.8 | 0.01 | Dec 17, 2017 | Sonatype Nexus Repository Manager through 2.14.5 has weak password encryption with a hardcoded CMMDwoV value in the LDAP integration feature. | ||
| CVE-2020-11444 | Hig | 0.58 | 8.8 | 0.09 | Apr 2, 2020 | Sonatype Nexus Repository Manager 3.x up to and including 3.21.2 has Incorrect Access Control. | ||
| CVE-2020-15871 | Hig | 0.57 | 8.8 | 0.02 | Jul 31, 2020 | Sonatype Nexus Repository Manager OSS/Pro version before 3.25.1 allows Remote Code Execution. | ||
| CVE-2020-11753 | Hig | 0.57 | 8.8 | 0.02 | Apr 20, 2020 | An issue was discovered in Sonatype Nexus Repository Manager in versions 3.21.1 and 3.22.0. It is possible for a user with appropriate privileges to create, modify, and execute scripting tasks without use of the UI or API. NOTE: in 3.22.0, scripting is disabled by default… | ||
| CVE-2020-15012 | Hig | 0.56 | 8.6 | 0.03 | Oct 12, 2020 | A Directory Traversal issue was discovered in Sonatype Nexus Repository Manager 2.x before 2.14.19. A user that requests a crafted path can traverse up the file system to get access to content on disk (that the user running nxrm also has access to). | ||
| CVE-2024-4956 | Hig | 0.53 | 7.5 | 0.18 | May 16, 2024 | Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1. | ||
| CVE-2020-15868 | Hig | 0.49 | 7.5 | 0.01 | Aug 12, 2020 | Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control. | ||
| CVE-2019-9630 | Hig | 0.49 | 7.5 | 0.01 | Jul 8, 2019 | Sonatype Nexus Repository Manager before 3.17.0 has a weak default of giving any unauthenticated user read permissions on the repository files and images. | ||
| CVE-2018-16620 | Hig | 0.49 | 7.5 | 0.01 | Nov 15, 2018 | Sonatype Nexus Repository Manager before 3.14 has Incorrect Access Control. | ||
| CVE-2019-15588 | Hig | 0.47 | 7.2 | 0.06 | Nov 1, 2019 | There is an OS Command Injection in Nexus Repository Manager <= 2.14.14 (bypass CVE-2019-5475) that could allow an attacker a Remote Code Execution (RCE). All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability. | ||
| CVE-2019-15893 | Hig | 0.47 | 7.2 | 0.02 | Oct 16, 2019 | Sonatype Nexus Repository Manager 2.x before 2.14.15 allows Remote Code Execution. | ||
| CVE-2018-16621 | Hig | 0.47 | 7.2 | 0.02 | Nov 15, 2018 | Sonatype Nexus Repository Manager before 3.14 allows Java Expression Language Injection. | ||
| CVE-2020-29436 | Med | 0.42 | 6.5 | 0.01 | Dec 17, 2020 | Sonatype Nexus Repository Manager 3.x before 3.29.0 allows a user with admin privileges to configure the system to gain access to content outside of NXRM via an XXE vulnerability. Fixed in version 3.29.0. | ||
| CVE-2021-29159 | Med | 0.40 | 6.1 | 0.01 | Apr 28, 2021 | A cross-site scripting (XSS) vulnerability has been discovered in Nexus Repository Manager 3.x before 3.30.1. An attacker with a local account can create entities with crafted properties that, when viewed by an administrator, can execute arbitrary JavaScript in the context of… | ||
| CVE-2020-15870 | Med | 0.40 | 6.1 | 0.01 | Jul 31, 2020 | Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (Issue 2 of 2). | ||
| CVE-2019-11629 | Med | 0.40 | 6.1 | 0.01 | May 7, 2019 | Sonatype Nexus Repository Manager 2.x before 2.14.13 allows XSS. | ||
| CVE-2018-16619 | Med | 0.40 | 6.1 | 0.01 | Nov 15, 2018 | Sonatype Nexus Repository Manager before 3.14 allows XSS. | ||
| CVE-2018-5307 | Med | 0.40 | 6.1 | 0.01 | Feb 9, 2018 | Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 2.x before 2.14.6 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId or (2) format parameter to service/siesta/healthcheck/healthCheckFileDetail/.../i… |
- risk 0.75cvss 9.8epss 0.77
Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control.
- risk 0.64cvss 9.8epss 0.01
Sonatype Nexus Repository Manager before 3.17.0 establishes a default administrator user with weak defaults (fixed credentials).
- risk 0.64cvss 9.8epss 0.01
Sonatype Nexus Repository Manager through 2.14.5 has weak password encryption with a hardcoded CMMDwoV value in the LDAP integration feature.
- risk 0.58cvss 8.8epss 0.09
Sonatype Nexus Repository Manager 3.x up to and including 3.21.2 has Incorrect Access Control.
- risk 0.57cvss 8.8epss 0.02
Sonatype Nexus Repository Manager OSS/Pro version before 3.25.1 allows Remote Code Execution.
- risk 0.57cvss 8.8epss 0.02
An issue was discovered in Sonatype Nexus Repository Manager in versions 3.21.1 and 3.22.0. It is possible for a user with appropriate privileges to create, modify, and execute scripting tasks without use of the UI or API. NOTE: in 3.22.0, scripting is disabled by default…
- risk 0.56cvss 8.6epss 0.03
A Directory Traversal issue was discovered in Sonatype Nexus Repository Manager 2.x before 2.14.19. A user that requests a crafted path can traverse up the file system to get access to content on disk (that the user running nxrm also has access to).
- risk 0.53cvss 7.5epss 0.18
Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1.
- risk 0.49cvss 7.5epss 0.01
Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control.
- risk 0.49cvss 7.5epss 0.01
Sonatype Nexus Repository Manager before 3.17.0 has a weak default of giving any unauthenticated user read permissions on the repository files and images.
- risk 0.49cvss 7.5epss 0.01
Sonatype Nexus Repository Manager before 3.14 has Incorrect Access Control.
- risk 0.47cvss 7.2epss 0.06
There is an OS Command Injection in Nexus Repository Manager <= 2.14.14 (bypass CVE-2019-5475) that could allow an attacker a Remote Code Execution (RCE). All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability.
- risk 0.47cvss 7.2epss 0.02
Sonatype Nexus Repository Manager 2.x before 2.14.15 allows Remote Code Execution.
- risk 0.47cvss 7.2epss 0.02
Sonatype Nexus Repository Manager before 3.14 allows Java Expression Language Injection.
- risk 0.42cvss 6.5epss 0.01
Sonatype Nexus Repository Manager 3.x before 3.29.0 allows a user with admin privileges to configure the system to gain access to content outside of NXRM via an XXE vulnerability. Fixed in version 3.29.0.
- risk 0.40cvss 6.1epss 0.01
A cross-site scripting (XSS) vulnerability has been discovered in Nexus Repository Manager 3.x before 3.30.1. An attacker with a local account can create entities with crafted properties that, when viewed by an administrator, can execute arbitrary JavaScript in the context of…
- risk 0.40cvss 6.1epss 0.01
Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (Issue 2 of 2).
- risk 0.40cvss 6.1epss 0.01
Sonatype Nexus Repository Manager 2.x before 2.14.13 allows XSS.
- risk 0.40cvss 6.1epss 0.01
Sonatype Nexus Repository Manager before 3.14 allows XSS.
- risk 0.40cvss 6.1epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 2.x before 2.14.6 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId or (2) format parameter to service/siesta/healthcheck/healthCheckFileDetail/.../i…
Page 1 of 2