Login Contact Us Book a Demo

SONATYPE NEXUS REPOSITORY | VERSIONS 3.68.0 AND PRIOR

Critical Vulnerability Detected in Your Nexus Repository Version

Action Required: Nexus Repository Versions 3.68.0 and Prior Have a Critical Vulnerability That Requires Immediate Patching

Upgrade to Mitigate Your Risk

This deployment is using an older Nexus Repository version that contains multiple exploitable critical security vulnerabilities that allow attackers to access sensitive files outside the application scope. We recommend upgrading to the latest version immediately to resolve CVE-2024-4956 and CVE-2024-5764

CVE-2024-4956

This path traversal vulnerability enables an attacker to create a URL that can return a file as a download without authentication. 

Fixed in Nexus Repository Version 3.68.1

Learn More

CVE-2024-5764

The vulnerability exists in code responsible for encrypting secrets stored in the configuration database. 

Fixed in Nexus Repository Version 3.73.0

Learn More


Your version of Nexus Repository may be sunset and no longer supported. Please refer to Sonatype's version status on when your version will be sunset.

Before upgrading to a new version, you may need to update your database. If your deployment uses OrientDB, please be aware that it has been deprecated due to observed data integrity issues in some configurations. Sonatype recommends transitioning to a supported database solution. More information can be found in our upgrade documentation.

Get the Latest Version

Take Advantage of New Capabilities in Sonatype Nexus Repository

Beyond patching a critical vulnerability, the latest version of Nexus Repository offers more feature functionality to ensure enhanced performance, stability, and scalability. 

Feature

Capabilities

Benefits
Ecosystem & Format Support

  • PHP/Composer proxy support

  • OCI Docker support

  • Native Rust/Cargo

  • Improved Conan search

  • Helm repo error feedback

  • Hugging Face support 
Simplify artifact management with wider language and repo coverage to increase developer productivity and support platform consolidation.
High Availability (HA) & Zero-Downtime
  • Zero-downtime HA upgrades
  • HA license auto-distribution
  • GCP blobstore/HA support
  • Usage Center for HA
  • AWS HA enhancements
  • External Secrets Operator
Avoid downtime with true enterprise-grade HA. Align with cloud-native ops that frees SRE hours.
Java 17 & Database Upgrades
  • Java 17 support for H2/PostgreSQL
  • Embedded H2 → v2.2.244
  • H2 driver upgrade v2.3.232
  • H2 default for OSS
  • Improved DB migrator flow
  • Dependency upgrades
Future-proof JVM/runtime for performance/stability via modern DB layer and expect fewer CVEs and patch cycles with faster I/O to accelerate pipelines.
Credential & Identity Security

  • Token expiration configuration

  •  SAML cleanup & auto-profile sync

  •  Re-encryption to mitigate CVE-2024-5764

  • LDAP→SAML token migration

  • RUT auth restored
Reduce breach risk and identity errors with token lifecycle governance, safer credential storage, and IdP agility that automates user lifecycle transitions.
Automation via REST APIs
  • Cleanup policy CRUD API
  • Task management API
  • HTTP config API
  • Retrieve/set IQ audit/quarantine
Take full control of operations via script/API to reduce admin overhead, and enable DevSecOps compliance-as-a-code to be CI-ready.
Cloud Blob-Store Flexibility

  • AWS Pre-Signed URL Downloads 

  • AWS region list & S3 replication

  • Compact cleanup for S3

  • Cloud KMS for Google blob store

  • GCP blobstore performance boost
Enable secure, scalable link-based artifact delivery and geo-distributed storage support with cost-effective cloud architecture and disaster recovery (DR).
Security Monitoring & Firewall

  • CVE-2024-4956 critical fix

  • npm audit + Firewall

  • Malware banner

  • Banner dismissal

  • Firewall REST APIs

  • Firewall + Zscaler integration
Block exploit vectors early with threat visibility, automated protections, and integration with your security stack to minimize MTTR and audit risk.
Usage Analytics & Modern UI

  • Monthly request metrics

  • React-based modern UI

  • Historical usage data

  • Egress licensing insights

  • Cleanup preview timestamps
Reduce user friction and training effort with operational transparency and better UX for reporting and cleanup that helps align usage to cost.
Platform Modernization

  • Spring Boot architecture

  • Jetty 12 web-server

  • ARM Docker images

  • Platform-specific JDKs

  • JReleaser installer

  • Legacy features removed: OSGi, Log4j visualizer, Bower
Reduce upgrade and patch complexity with a cloud-native, simplified deployment, and promote easier container ops and image builds with faster start-up.
Stability, Fixes, and Readiness

  • Helm error feedback

  • NuGet v2 audit logging control

  • NuGet v3 group fix

  • Docker reverse proxy fix

  • Azure blob upload fix

  • PostgreSQL 14+ upgrade warning
Stability for edge cases and readiness for future platform changes that help ensure smoother upgrades, improving the developer experience.

Capabilities

Feature
Ecosystem & Format Support

  • PHP/Composer proxy support

  • OCI Docker support

  • Native Rust/Cargo

  • Improved Conan search

  • Helm repo error feedback

  • Hugging Face support 
High Availability (HA) & Zero-Downtime
  • Zero-downtime HA upgrades
  • HA license auto-distribution
  • GCP blobstore/HA support
  • Usage Center for HA
  • AWS HA enhancements
  • External Secrets Operator
Java 17 & Database Upgrades
  • Java 17 support for H2/PostgreSQL
  • Embedded H2 → v2.2.244
  • H2 driver upgrade v2.3.232
  • H2 default for OSS
  • Improved DB migrator flow
  • Dependency upgrades
Credential & Identity Security

  • Token expiration configuration

  •  SAML cleanup & auto-profile sync

  •  Re-encryption to mitigate CVE-2024-5764

  • LDAP→SAML token migration

  • RUT auth restored
Automation via REST APIs
  • Cleanup policy CRUD API
  • Task management API
  • HTTP config API
  • Retrieve/set IQ audit/quarantine
Cloud Blob-Store Flexibility

  • AWS Pre-Signed URL Downloads 

  • AWS region list & S3 replication

  • Compact cleanup for S3

  • Cloud KMS for Google blob store

  • GCP blobstore performance boost
Security Monitoring & Firewall

  • CVE-2024-4956 critical fix

  • npm audit + Firewall

  • Malware banner

  • Banner dismissal

  • Firewall REST APIs

  • Firewall + Zscaler integration
Usage Analytics & Modern UI

  • Monthly request metrics

  • React-based modern UI

  • Historical usage data

  • Egress licensing insights

  • Cleanup preview timestamps
Platform Modernization

  • Spring Boot architecture

  • Jetty 12 web-server

  • ARM Docker images

  • Platform-specific JDKs

  • JReleaser installer

  • Legacy features removed: OSGi, Log4j visualizer, Bower
Stability, Fixes, and Readiness

  • Helm error feedback

  • NuGet v2 audit logging control

  • NuGet v3 group fix

  • Docker reverse proxy fix

  • Azure blob upload fix

  • PostgreSQL 14+ upgrade warning

Benefits

Feature
Ecosystem & Format Support
Simplify artifact management with wider language and repo coverage to increase developer productivity and support platform consolidation.
High Availability (HA) & Zero-Downtime
Avoid downtime with true enterprise-grade HA. Align with cloud-native ops that frees SRE hours.
Java 17 & Database Upgrades
Future-proof JVM/runtime for performance/stability via modern DB layer and expect fewer CVEs and patch cycles with faster I/O to accelerate pipelines.
Credential & Identity Security
Reduce breach risk and identity errors with token lifecycle governance, safer credential storage, and IdP agility that automates user lifecycle transitions.
Automation via REST APIs
Take full control of operations via script/API to reduce admin overhead, and enable DevSecOps compliance-as-a-code to be CI-ready.
Cloud Blob-Store Flexibility
Enable secure, scalable link-based artifact delivery and geo-distributed storage support with cost-effective cloud architecture and disaster recovery (DR).
Security Monitoring & Firewall
Block exploit vectors early with threat visibility, automated protections, and integration with your security stack to minimize MTTR and audit risk.
Usage Analytics & Modern UI
Reduce user friction and training effort with operational transparency and better UX for reporting and cleanup that helps align usage to cost.
Platform Modernization
Reduce upgrade and patch complexity with a cloud-native, simplified deployment, and promote easier container ops and image builds with faster start-up.
Stability, Fixes, and Readiness
Stability for edge cases and readiness for future platform changes that help ensure smoother upgrades, improving the developer experience.

 

Take Action to Protect Your Repository

Address the vulnerabilities in your repository instance and take advantage of ongoing enhancements by upgrading to the latest version of Nexus Repository. Review our upgrade instructions for more information. Questions or concerns about upgrading? Drop by our Community Forum to connect with other users and get answers from our team.

Upgrade to the latest version

glyph branded arrow
Download Now

Helpful Resources

Upgrade Documentation

Explore everything you need to know before you upgrade your instance of Nexus Repository.
Read Now

Community Forum

Get your questions asked by fellow users and the Sonatype team.
Explore

Release Notes

Explore the the latest functionality and updates in Nexus Repository release notes. 
Read Now

On a Different Release? 

Explore documentation for your existing release.