XXE Vulnerability in Sonatype Nexus Repository Manager
CVE-2020-29436

6.5MEDIUM

Key Information:

Vendor: Sonatype
Status: Nexus Repository Manager
Vendor: CVE Published:; 17 December 2020

What is CVE-2020-29436?

Sonatype Nexus Repository Manager 3.x versions prior to 3.29.0 are susceptible to an XML External Entities (XXE) injection vulnerability. This allows a user with administrative privileges to misconfigure the system, potentially granting unauthorized access to sensitive content outside of the Nexus repository. This vulnerability was addressed in the release of version 3.29.0, emphasizing the necessity for immediate upgrading to safeguard against potential exploitation.

References

https://support.sonatype.com/hc/en-us/articles/1500000415...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 17, 2020
Vulnerability Reserved
Nov 30, 2020