An XML External Entities (XXE) vulnerability has been discovered in Nexus Repository Manager 3. We have fixed the vulnerability in version 3.29.0.
The vulnerability was discovered and reported by James Mills at F-Secure Consulting.
See Sonatype’s KB article for more detail: CVE-2020-29436 Nexus Repository Manager 3 - XML External Entities injection - 2020-12-15 – Sonatype Support.