Team,
we have seen a notification saying as below:
Date: February 5, 2019
Affected Versions: Nexus Repository Manager 3.6.2 OSS/Pro versions up to and including 3.14.0
Fixed in Version: Nexus Repository Manager OSS/Pro version 3.15.0
CVE-2019-7238 Summary
Insufficient access controls have been discovered in Nexus Repository Manager 3 which allow remote code execution.
An unauthenticated user can craft requests in such a manner that can execute java code on the server. We have mitigated the issue by adding the necessary access controls as well as disabling the ability to execute arbitrary java code via this path. This advisory provides the pertinent information needed to properly address this vulnerability, along with the details on how to reach us if you have any further questions or concerns.
This vulnerability was identified by external researchers and has been verified by our security team. We are not aware of any active exploits taking advantage of this issue. However, we strongly encourage all users of NXRM to immediately take the steps outlined in this advisory.
As the identified vulnerability allows an unauthenticated attacker to run arbitrary java code on the system, we are highly recommending all instances of NXRM be upgraded to 3.15 or later.
The vulnerability associated with this advisory is fixed in NXRM 3.15 and above. The latest version of NXRM 3.x can be downloaded from:
https://help.sonatype.com/repomanager3/download
Current Nexus version ,we have : Nexus Pro 2.14.8
Please let us know if this vulnerability applicable to our version of Nexus Repository manager…
Thank you,
Nagashree.B