<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:23:21 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-2801] Upgrade Sonatype Nexus fixing security vulnerabilities (CVE-2020-15871 etc.)</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-2801</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;&lt;a href=&quot;https://repository.folio.org/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://repository.folio.org/&lt;/a&gt; says:&lt;/p&gt;
&lt;blockquote&gt;&lt;p&gt;Nexus Repository 3.27.0 is now available. This release contains [...] security and bug fixes. See the &lt;a href=&quot;https://help.sonatype.com/repomanager3/release-notes&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;Release notes&lt;/a&gt; for more information.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;Upgrading Sonatype Nexus from 3.21.2-03 to 3.27.0 fixes these security vulnerabilies:&lt;br/&gt;
&lt;a href=&quot;https://support.sonatype.com/hc/en-us/articles/360053516793-CVE-2020-24622-Nexus-Repository-Manager-3-Sensitive-Information-Disclosure-2020-09-15&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;CVE-2020-24622 Medium - 4.1: Sensitive Information Disclosure - 2020-09-15&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://support.sonatype.com/hc/en-us/articles/360052192533-CVE-2020-15868-Nexus-Repository-Manager-3-Access-Controls-Bypass-2020-08-11&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;CVE-2020-15868 Medium - 6.5: Access Controls Bypass - 2020-08-11&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://support.sonatype.com/hc/en-us/articles/360052192693-CVE-2020-15871-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-07-29&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;CVE-2020-15871 Critical - 9.6: Remote Code Execution - 2020-07-29&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://support.sonatype.com/hc/en-us/articles/360051424754-CVE-2020-15870-Nexus-Repository-Manager-3-Reflection-XSS-2020-07-29&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;CVE-2020-15870 Medium - 6.1: Reflection XSS - 2020-07-29&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://support.sonatype.com/hc/en-us/articles/360051424554-CVE-2020-15869-Nexus-Repository-Manager-3-Reflection-XSS-2020-07-29&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;CVE-2020-15869 Medium - 6.1: Reflection XSS - 2020-07-29&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://support.sonatype.com/hc/en-us/articles/360046233714-CVE-2020-11753-Nexus-Repository-Manager-3-Improper-Access-Controls-2020-04-16&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;CVE-2020-11753 Critical - 9.1: Improper Access Controls - 2020-04-16&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://support.sonatype.com/hc/en-us/articles/360046133553-CVE-2020-11444-Nexus-Repository-Manager-3-Improper-Access-Controls-2020-04-02&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;CVE-2020-11444 Risk: High - 7.1: Improper Access Controls - 2020-04-02&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://support.sonatype.com/hc/en-us/articles/360045360854-CVE-2020-11415-Nexus-Repository-Manager-2-3-Sensitive-Information-Disclosure-2020-04-16&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;CVE-2020-11415 Medium - 5.3: Sensitive Information Disclosure - 2020-04-16&lt;/a&gt;&lt;br/&gt;
Source: &lt;a href=&quot;https://support.sonatype.com/hc/en-us/sections/203012668-Security-Advisories&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://support.sonatype.com/hc/en-us/sections/203012668-Security-Advisories&lt;/a&gt;&lt;/p&gt;</description>
                <environment></environment>
        <key id="81808">FOLIO-2801</key>
            <summary>Upgrade Sonatype Nexus fixing security vulnerabilities (CVE-2020-15871 etc.)</summary>
                <type id="10001" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium">Bug</type>
                                            <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="5f9abc1eb45b2e007453f423">John Malconian</assignee>
                                                                <reporter accountid="5ee89462f7aa140abd82d11d">Julian Ladisch</reporter>
                                    <labels>
                            <label>devops</label>
                            <label>security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Thu, 17 Sep 2020 16:05:35 +0000</created>
                <updated>Sat, 8 May 2021 20:34:01 +0000</updated>
                            <resolved>Thu, 5 Nov 2020 18:58:38 +0000</resolved>
                                                                    <component>Continuous Integration</component>
                        <due></due>
                            <votes>0</votes>
                                    <watches>2</watches>
                                                                <comments>
                                                            <comment id="197118" author="5f9abc1eb45b2e007453f423" created="Thu, 24 Sep 2020 14:08:13 +0000"  >&lt;p&gt;I browsed through the CVEs listed above and have concluded that the most critical ones require authenticated access to Nexus in order to exploit.    There are are very few Nexus users/accounts that have authenticated access to the repository.   Downgrading priority to P3.  Let me know if I&apos;ve missed anything. &lt;/p&gt;
</comment>
                                                            <comment id="197120" author="5f9abc1eb45b2e007453f423" created="Thu, 5 Nov 2020 18:58:38 +0000"  >&lt;p&gt;Nexus upgraded to 3.28.1 (latest version).&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10155"><![CDATA[FOLIO DevOps]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|hzx6m9:zmzx4</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="1989">DevOps: Sprint 101</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 24 Sep 2020 14:08:13 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>