[FOLIO-2801] Upgrade Sonatype Nexus fixing security vulnerabilities (CVE-2020-15871 etc.) Created: 17/Sep/20  Updated: 08/May/21  Resolved: 05/Nov/20

Status: Closed
Project: FOLIO
Components: Continuous Integration
Affects versions: None
Fix versions: None

Type: Bug Priority: P3
Reporter: Julian Ladisch Assignee: John Malconian
Resolution: Done Votes: 0
Labels: devops, security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint: DevOps: Sprint 101
Development Team: FOLIO DevOps

 Description   

https://repository.folio.org/ says:

Nexus Repository 3.27.0 is now available. This release contains [...] security and bug fixes. See the Release notes for more information.

Upgrading Sonatype Nexus from 3.21.2-03 to 3.27.0 fixes these security vulnerabilies:
CVE-2020-24622 Medium - 4.1: Sensitive Information Disclosure - 2020-09-15
CVE-2020-15868 Medium - 6.5: Access Controls Bypass - 2020-08-11
CVE-2020-15871 Critical - 9.6: Remote Code Execution - 2020-07-29
CVE-2020-15870 Medium - 6.1: Reflection XSS - 2020-07-29
CVE-2020-15869 Medium - 6.1: Reflection XSS - 2020-07-29
CVE-2020-11753 Critical - 9.1: Improper Access Controls - 2020-04-16
CVE-2020-11444 Risk: High - 7.1: Improper Access Controls - 2020-04-02
CVE-2020-11415 Medium - 5.3: Sensitive Information Disclosure - 2020-04-16
Source: https://support.sonatype.com/hc/en-us/sections/203012668-Security-Advisories



 Comments   
Comment by John Malconian [ 24/Sep/20 ]

I browsed through the CVEs listed above and have concluded that the most critical ones require authenticated access to Nexus in order to exploit. There are are very few Nexus users/accounts that have authenticated access to the repository. Downgrading priority to P3. Let me know if I've missed anything.

Comment by John Malconian [ 05/Nov/20 ]

Nexus upgraded to 3.28.1 (latest version).

Generated at Thu Feb 08 23:23:20 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.