sonatype vulnerabilities and exploits

7.5
CVSSv2
CVE-2019-9629

Sonatype Nexus Repository Manager before 3.17.0 establishes a default administrator user with weak defaults (fixed credentials)....

3.5
CVSSv2
CVE-2019-14469

In Nexus Repository Manager before 3.18.0, users with elevated privileges can create stored XSS....

9
CVSSv2
CVE-2019-15588

There is an OS Command Injection in Nexus Repository Manager <= 2.14.14 (bypass CVE-2019-5475) that could allow an attacker a Remote Code Execution (RCE). All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration...

7.5
CVSSv2
CVE-2014-9389

Directory traversal vulnerability in Sonatype Nexus OSS and Pro before 2.11.1-01 allows remote attackers to read or write to arbitrary files via unspecified vectors....

7.5
CVSSv2
CVE-2014-0792

Sonatype Nexus 1.x and 2.x before 2.7.1 allows remote attackers to create arbitrary objects and execute arbitrary code via unspecified vectors related to unmarshalling of unintended Object types....

7.5
CVSSv2
CVE-2019-7238

Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control....

SonatypeNexus
7.5
CVSSv2
CVE-2014-2034

Unspecified vulnerability in Sonatype Nexus OSS and Pro 2.4.0 through 2.7.1 allows attackers to create arbitrary user accounts via unknown vectors related to "an unauthenticated execution path."...

9
CVSSv2
CVE-2019-5475

The Nexus Yum Repository Plugin in v2 is vulnerable to Remote Code Execution when instances using CommandLineExecutor.java are supplied vulnerable data, such as the Yum Configuration Capability....

SonatypeNexus Repository Manager
9
CVSSv2
CVE-2019-16530

Sonatype Nexus Repository Manager 2.x before 2.14.15 and 3.x before 3.19, and IQ Server before 72, has remote code execution....

10
CVSSv2
CVE-2017-17717

Sonatype Nexus Repository Manager through 2.14.5 has weak password encryption with a hardcoded CMMDwoV value in the LDAP integration feature....