NXRM3 version: 3.41.1-01
h2 DB: 1.4.200
Current version of h2 DB contains a few critical vulnerabilities:
It seems these are fixed in latest 2.0.206+ versions.
What’s the process to get this upgraded? Is this already tracked?
Thanks for your inquiry. We are aware of this dependency vulnerability via our continuous monitoring with Nexus Lifecycle.
We consider all dependency vulnerabilities to be potentially exploitable, and we have already queued them for remediation as a routine part of our development process. For the safety of our customers and users, we don’t disclose specific exploitability of this dependency vulnerability.
For more information on our processes, please see Repository Security Vulnerabilities.
If you haven’t already, you can subscribe to announcements of new releases and fixes for verified exploitable vulnerabilities via the Nexus Repository Pro announcements Google group.
Thanks for the info. It wasn’t clear to me that the Pro announcement also applies to oss versions. I didn’t think Pro version used the h2 database.
When we can expect a fix for this? Tried with the latest image and even that has this H2 database and Hazelcast critical vulnerabilities.