The following article is a list of all public security advisories filed against Sonatype Nexus. Please refer to individual articles for full disclosure detail and remedy measures.
To be notified of future security vulnerability advisories, please subscribe here.
Nexus Repository Manager Remote Code Execution Vulnerability Advisory
The identified vulnerability allows for an unauthenticated attacker with network access to perform remote code exploits.
CVE-2014-9389 - directory traversal
The identified vulnerabilities can allow an attacker to perform directory traversal to read/write sensitive data files.
CVE-2014-2034 - unauthenticated user account creation
The vulnerability makes use of an unauthenticated execution path that allows for the creation of user accounts.
CVE-2014-0792 - xstream arbitrary code execution
The identified vulnerability can allow an attacker controlled remote object creation and arbitrary code execution in the running Nexus instance without requiring user authentication.