[FOLIO-2801] Upgrade Sonatype Nexus fixing security vulnerabilities (CVE-2020-15871 etc.) Created: 17/Sep/20 Updated: 08/May/21 Resolved: 05/Nov/20 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | Continuous Integration |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | P3 |
| Reporter: | Julian Ladisch | Assignee: | John Malconian |
| Resolution: | Done | Votes: | 0 |
| Labels: | devops, security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Sprint: | DevOps: Sprint 101 |
| Development Team: | FOLIO DevOps |
| Description |
|
https://repository.folio.org/ says:
Upgrading Sonatype Nexus from 3.21.2-03 to 3.27.0 fixes these security vulnerabilies: |
| Comments |
| Comment by John Malconian [ 24/Sep/20 ] |
|
I browsed through the CVEs listed above and have concluded that the most critical ones require authenticated access to Nexus in order to exploit. There are are very few Nexus users/accounts that have authenticated access to the repository. Downgrading priority to P3. Let me know if I've missed anything. |
| Comment by John Malconian [ 05/Nov/20 ] |
|
Nexus upgraded to 3.28.1 (latest version). |