Nexus RM3 OSS h2 vulnerability

NXRM3 version: 3.41.1-01
h2 DB: 1.4.200

Current version of h2 DB contains a few critical vulnerabilities:

  1. CVE-2021-23463
  2. CVE-2021-42392
  3. CVE-2022-23221

It seems these are fixed in latest 2.0.206+ versions.

What’s the process to get this upgraded? Is this already tracked?

Regards,
Atharva

Atharva,

Thanks for your inquiry. We are aware of this dependency vulnerability via our continuous monitoring with Nexus Lifecycle.

We consider all dependency vulnerabilities to be potentially exploitable, and we have already queued them for remediation as a routine part of our development process. For the safety of our customers and users, we don’t disclose specific exploitability of this dependency vulnerability.

For more information on our processes, please see Repository Security Vulnerabilities.

If you haven’t already, you can subscribe to announcements of new releases and fixes for verified exploitable vulnerabilities via the Nexus Repository Pro announcements Google group.

Michael

2 Likes

Michael,

Thanks for the info. It wasn’t clear to me that the Pro announcement also applies to oss versions. I didn’t think Pro version used the h2 database.

Regards
Atharva