![]() For CVE-2019-9629, an attacker could seize control of the repository by authenticating as the default admin account.Īccording to Shapira, at least 50% of the repositories exposed to the public internet were working under NXRM’s vulnerable default settings. In the case of CVE-2019-9630, even without authentication, an attacker will be able to download artifacts by merely accessing the repository. ![]() The successful exploitation of these vulnerabilities could expose users’ private artifacts, for example, Docker images, Java dependencies, and Python packages. Meanwhile, CVE-2019-9630 grants unauthenticated users read permissions on the repository files and images by default. Twistlock security researcher Daniel Shapira discovered that CVE-2019-9629 allows users to access the repository content via credentials that were set to admin/admin123 by default. CVE-2019-9629 and CVE-2019-9630 allow unauthorized access to private artifacts Sonatype, which has more than 150,000 active NXRM active installations and is used by many organizations in the public and private industries, has already provided a fix for the vulnerabilities in their 3.16.2 and 3.17 releases. Assigned CVE-2019-9629 and CVE-2019-9630, the vulnerabilities result from the poor configuration of the repository manager’s default settings and affect versions before 3.17.0. Two vulnerabilities were uncovered in Sonatype’s Nexus Repository Manager (NXRM), an open-source governance platform used by DevOps professionals for component management in software development, application deployment, and automated hardware provisioning.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |