Security Experts:

Connect with us

Hi, what are you looking for?



Nexus Repository Flaws Expose Thousands of Private Artifacts

Two vulnerabilities in Nexus Repository exposed thousands of private artifacts across a broad range of industries, Twistlock’s security researchers reveal.

Two vulnerabilities in Nexus Repository exposed thousands of private artifacts across a broad range of industries, Twistlock’s security researchers reveal.

Nexus is Sonatype’s integrated open source governance platform that allows developers to proxy, collect, and manage Java dependencies, Docker images, Python packages and much more, as well as easily distribute their software.

A universal repository manager, the Nexus Repository Manager allows developers to configure their builds internally to publish artifacts to Nexus, thus making them available to other developers.

Nexus, Sonatype claims, is used by over 1,000 organizations and 10 million software developers. The company also notes that there are more than 120,000 active Nexus Repositories at the moment.

What Twistlock discovered was that the default Nexus settings include two issues, unrelated to each other, but which exposed artifacts from all affected repositories to the public.

Tracked as CVE-2019-9629, the first issue is that the default user in the Nexus Repository Manager is always set to be admin/admin123, essentially allowing anyone with knowledge of these credentials to access content in the repository.

More importantly, any unauthenticated user was allowed to read/download resources from Nexus, meaning that even if the default user was changed, people could still access content in a repository. This vulnerability is tracked as CVE-2019-9630.

“This means all the images in the repository can be download just by accessing the repository, with no authentication needed, or by authenticating as the default admin account if unchanged,” Twistlock’s Daniel Shapira explains.

The security researcher also notes that many users tend to skip a lot of configuration steps, which often results in software being exposed, because it is running under default settings with minor modification.

“Thanks to the ‘docker one-liner’ that anyone can find on Docker Hub, you can run Sonatype Nexus too. Under normal circumstances, users tend to see that the image is up and running, and leave everything else as it is. This is usually acceptable, unless the default settings of the product are somehow not aligned with the best practices for security, like in the case of Nexus Repository,” Shapira notes.

The security researcher says that at least half of the Internet accessible repositories he checked were using the default settings, which expose them to both of the aforementioned vulnerabilities.

“These vulnerabilities place a lot of users in a position in which they expose all of their private artifacts (images, packages, etc…) to the internet unintentionally, a scenario that it is more common than you might think,” the researcher notes.

In many cases, Shapira says, the default user was not deleted from the installation, although a different user was set up, complex password policies were employed, and the permissions on viewing resources were changed as well.

These vulnerabilities, the security researcher says, “exposed thousands of private artifacts across a broad range of industries, including financial services, healthcare, communications, government agencies and countless private companies.”

Twistlock reported the vulnerabilities to Sonatype in March and a fix was released on June 24, in Nexus Repository 3.17.0, which disables the default admin user and fixes the permission issues.

UPDATE. “The majority of repository managers are deployed inside a firewall and intentionally configured to allow anonymous access for sharing artifacts. This is a useful capability to provide organizations who choose to do so,” Sonatype’s Brian Fox explains in a blog post.

He also notes that, in certain situations, it is highly important to be able to provide access to common artifacts without requiring a user to sign up.

“Obviously providing wide open read access on the public Internet should be carefully considered, but as you see with many public forges, that ability to serve common artifacts without requiring a user to sign up, is critically important,” Fox says.

Related: Code Execution Flaw Found in Sonatype Nexus Repository Manager

Related: Risk-Based Vulnerability Management is a Must for Security & Compliance

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.