In late December of 2018, researchers Rico from Tencent Security Yunding Lab and Voidfyoo from Chaitin Tech responsibly disclosed a critical vulnerability in Sonatype Nexus Repository 3 - CVE-2019-7238.
We responded immediately, and on February 5 we released Sonatype Nexus Repository 3.15 which fixed the identified vulnerability and removed the threat. We subsequently took numerous steps across multiple distribution channels to reach all Sonatype Nexus Repository customers and users to ensure that they were aware of the issue and provide proper support.
Today, we noticed chatter in the community in response to this article.
The purpose of this post is to again emphasize the importance of upgrading to the latest version of Sonatype Nexus Repository.
Resources:
For additional details on CVE-2019-7238, please visit our official advisory.
The vulnerability discussed in this post is fixed in Sonatype Nexus Repository 3.15 and above. The latest version of Sonatype Nexus Repository 3 can be downloaded from: https://help.sonatype.com/repomanager3/download
For detailed information on upgrade compatibility, please see: https://support.sonatype.com/hc/en-us/articles/115000350007
If you run into any problems, or have any questions/concerns, please contact us by filing a ticket at https://support.sonatype.com.