Detections
Analytics
Sonatype Nexus < 2.7.1 'XStream' Object Remote Code Execution Vulnerability
medium Nessus Network Monitor Plugin ID 8084
Synopsis
The remote server contains a vulnerability that can be exploited for remote code execution.Description
Versions of Sonatype Nexus earlier than 2.7.1 are prone to remote code execution vulnerability due to the application deserialising user-controlled XML data using the XStream library. Specifically, this issue affects 'XStream' object of the application.Solution
The vendor has provided updates; upgrade to 2.7.1 or later.See Also
https://sonatype.zendesk.com/entries/37551958-Configuring-Xstream-Whitelist
https://support.sonatype.com/entries/37828023-Nexus-Security-Vulnerability
http://www.sonatype.org/advisories/archive/2014-01-13-Nexus/
Plugin Details
Severity: Medium
ID: 8084
Family: Web Servers
Published: 1/22/2014
Updated: 3/6/2019
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: Medium
Base Score: 5.4
Temporal Score: 4.7
Vector: CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P
CVSS v3
Risk Factor: Medium
Base Score: 5
Temporal Score: 4.8
Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Temporal Vector: CVSS:3.0/E:X/RL:O/RC:X
Vulnerability Information
CPE: cpe:/a:sonatype:nexus
Patch Publication Date: 1/13/2014
Vulnerability Publication Date: 1/13/2014
Reference Information
CVE: CVE-2014-0792
BID: 65043