We had a pen-test where our Nexus Repository server was flagged that SQL Injection was possible. Though it was made clear that it may be a false positive, I was curious how this is handled as I expect it is handled. I cannot find any articles about this in the documentation, but the latest security notice is somewhat assuring.
Some of the links used:
◦ https:///static/rapture/app.js?_c=%27–%20&_v=3.72.0-04&_e=OSS
◦ https:///service/extdirect/poll/rapture_State_get?_dc=%27or1%3D1–%20
◦ https:///static/rapture/app.js?_v="&_e=OSS&_c=2024-08-30-1816-246
I guess this is product information gathered from central sonatype servers, not related to the local database?
Note: We have upgraded to latest version, but the pen test was run when 3.72 was installed.