Sonatype Advisories: Archive

Critical Security Advisory for Sonatype Nexus users

March 3, 2014

Affected Versions: Nexus OSS/Pro versions from 2.4.0 to 2.7.1
Fixed in Version: Nexus OSS/Pro version 2.7.2-03

A critical security vulnerability has been discovered in Nexus requiring immediate action. The vulnerability makes use of an unauthenticated execution path that allows for the creation of user accounts. We have now added a mitigating control in the latest release and with patches available for prior affected releases. This advisory provides the pertinent information needed to properly address this vulnerability, along with the details on how to reach us if you have any further questions or concerns.

Read More »

Critical Security Advisory for Sonatype Nexus users

January 14, 2014

Affected Versions: Nexus OSS/Pro versions prior to and including 2.7.0-06

A critical security vulnerability has been discovered by Sonatype in Nexus requiring immediate action. The vulnerability makes use of an execution path in an open source library that we have now (with the available patch) added a mitigating control for. This advisory provides the pertinent information needed to properly mitigate this vulnerability, along with the details on how to reach us if you have any further questions or concerns.

Read More »

Medium Security Advisory (CVSS score of 5.8) for Struts 2.3.15.2 users

October 15, 2013

On October 15, 2013, the Apache Struts group announced a new version of Struts was being made generally available, 2.3.15.3. This new version was released to fix another aspect of the previously reported vulnerability that was originally made public in the National Vulnerability Database on September 30th, CVE-2013-4310 and affecting all versions prior to 2.3.15.2.

Read More »

Critical Security Advisory for Struts2 Users

August 8, 2013

On July 20, the National Vulnerability Database disclosed a serious vulnerability in Struts2, which includes all versions up to 2.3.15. This vulnerability is similar to other recent "expression language injection" vulnerabilities in Struts2, except that ALL implementations are vulnerable, regardless of configuration or application coding.

Read More »