org.sonatype.nexus:nexus-core@3.16.0-01 vulnerabilities
-
latest version
3.70.0-03
-
latest non vulnerable version
-
first published
11 years ago
-
latest version published
23 days ago
-
licenses detected
- [0,)
-
package manager
Direct Vulnerabilities
Known vulnerabilities in the org.sonatype.nexus:nexus-core package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.| Vulnerability | Vulnerable Version |
|---|---|
org.sonatype.nexus:nexus-core is a Nexus Core package. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). An attacker with elevated privileges can create content selectors with a specially crafted name using the REST API (not allowed by the UI) which when viewed by another user can execute arbitrary JavaScript in the context of the NXRM application. How to fix Cross-site Scripting (XSS)? Upgrade |
[,3.21.2)
|
org.sonatype.nexus:nexus-core is a Nexus Core package. Affected versions of this package are vulnerable to Remote Code Execution (RCE). It is possible for any authenticated user, no matter the permissions granted, to run arbitrary code on the server (with Nexus process privileges) by injecting arbitrary Java Expression Language (EL) expressions. How to fix Remote Code Execution (RCE)? Upgrade |
[,3.21.2)
|
org.sonatype.nexus:nexus-core is a Nexus Core package. Affected versions of this package are vulnerable to Remote Code Execution. Sonatype Nexus Repository Manager 2.x before 2.14.15 and 3.x before 3.19, and IQ Server before 72, has a vulnerability where an attacker with elevated privileges can upload a specially crafted file to result in code execution. How to fix Remote Code Execution? Upgrade |
[2.4.0-1,2.14.15-01)
[3.0.0-b2014101001,3.19.0-01)
|