Sonatype Nexus Repository Manager (NXRM) is a Maven repository manager developed by Sonatype.

On September 6, 2019, Alibaba Cloud emergency response center detected a remote command execution vulnerability in Nexus Repository Manager 2.x. Attackers can log on to Nexus Repository Manager 2.x Capabilities through HTTP Basic Authentication and by using the default account and password: admin:admin123. After logon, attackers can run the createrepo or mergerepo command to implement remote system command injection. Attackers can exploit this vulnerability to remotely execute server commands, causing great risks.

Scope of impact: Nexus Repository Manager OSS and Nexus Repository Manager Pro in versions earlier than 2.14.14

Rule-based defense: A virtual patch is available in the Cloud Firewall console to address this vulnerability.

Rule type: command execution

Risk level: high

Security suggestions: Upgrade Nexus Repository Manager 2.x to version 2.14.14.