An Improper Access Control vulnerability CVE-2020-11753 of critical severity has been discovered in Nexus Repository Manager 3. We have mitigated the vulnerability in version 3.22.1. The vulnerability was discovered and reported by shadowsock5 via Sonatype and HackerOne’s Central Security Project.
See Sonatype’s KB article for more detail: CVE-2020-11753 Nexus Repository Manager 3 - Improper Access Controls - 2020-04-16 – Sonatype Support
A Sensitive Information Disclosure vulnerability CVE-2020-11415 of medium severity has been discovered in Nexus Repository Manager 2 & 3. We have mitigated the vulnerabilities in versions 2.14.17 and 3.22.1. The vulnerability was discovered and reported by Brian Worthen (brianw) via Sonatype and HackerOne’s Central Security Project.
See Sonatype’s KB article for more detail: CVE-2020-11415 - Nexus Repository Manager 2 & 3 - Sensitive Information Disclosure - 2020-04-16 – Sonatype Support
We recommend all instances NXRM3 upgrade to 3.22.1 or later immediately and all instances of NXRM2 upgrade to 2.14.17 or later.