A Remote Code Execution vulnerability has been discovered in Nexus Repository Manager requiring immediate action. The vulnerability allows for an attacker with any type of account on NXRM to execute arbitrary code by crafting a malicious request to NXRM. We have mitigated the issue by adjusting the configuration of third-party library that allowed for this attack. This advisory provides the pertinent information needed to properly address this vulnerability, along with the details on how to reach us if you have any further questions or concerns.
This vulnerability was identified by an external researcher and has been verified by our security team. We are not aware of any active exploits taking advantage of this issue.
The identified vulnerability can allow for the user to evaluate any code they send on the system, that the user running the server has privileges to.
Sonatype Nexus Repository before 3.21.2