Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Nexus Repository Flaws Expose Thousands of Private Artifacts

Two vulnerabilities in Nexus Repository exposed thousands of private artifacts across a broad range of industries, Twistlock’s security researchers reveal.

Two vulnerabilities in Nexus Repository exposed thousands of private artifacts across a broad range of industries, Twistlock’s security researchers reveal.

Nexus is Sonatype’s integrated open source governance platform that allows developers to proxy, collect, and manage Java dependencies, Docker images, Python packages and much more, as well as easily distribute their software.

A universal repository manager, the Nexus Repository Manager allows developers to configure their builds internally to publish artifacts to Nexus, thus making them available to other developers.

Nexus, Sonatype claims, is used by over 1,000 organizations and 10 million software developers. The company also notes that there are more than 120,000 active Nexus Repositories at the moment.

What Twistlock discovered was that the default Nexus settings include two issues, unrelated to each other, but which exposed artifacts from all affected repositories to the public.

Tracked as CVE-2019-9629, the first issue is that the default user in the Nexus Repository Manager is always set to be admin/admin123, essentially allowing anyone with knowledge of these credentials to access content in the repository.

More importantly, any unauthenticated user was allowed to read/download resources from Nexus, meaning that even if the default user was changed, people could still access content in a repository. This vulnerability is tracked as CVE-2019-9630.

“This means all the images in the repository can be download just by accessing the repository, with no authentication needed, or by authenticating as the default admin account if unchanged,” Twistlock’s Daniel Shapira explains.

Advertisement. Scroll to continue reading.

The security researcher also notes that many users tend to skip a lot of configuration steps, which often results in software being exposed, because it is running under default settings with minor modification.

“Thanks to the ‘docker one-liner’ that anyone can find on Docker Hub, you can run Sonatype Nexus too. Under normal circumstances, users tend to see that the image is up and running, and leave everything else as it is. This is usually acceptable, unless the default settings of the product are somehow not aligned with the best practices for security, like in the case of Nexus Repository,” Shapira notes.

The security researcher says that at least half of the Internet accessible repositories he checked were using the default settings, which expose them to both of the aforementioned vulnerabilities.

“These vulnerabilities place a lot of users in a position in which they expose all of their private artifacts (images, packages, etc…) to the internet unintentionally, a scenario that it is more common than you might think,” the researcher notes.

In many cases, Shapira says, the default user was not deleted from the installation, although a different user was set up, complex password policies were employed, and the permissions on viewing resources were changed as well.

These vulnerabilities, the security researcher says, “exposed thousands of private artifacts across a broad range of industries, including financial services, healthcare, communications, government agencies and countless private companies.”

Twistlock reported the vulnerabilities to Sonatype in March and a fix was released on June 24, in Nexus Repository 3.17.0, which disables the default admin user and fixes the permission issues.

UPDATE. “The majority of repository managers are deployed inside a firewall and intentionally configured to allow anonymous access for sharing artifacts. This is a useful capability to provide organizations who choose to do so,” Sonatype’s Brian Fox explains in a blog post.

He also notes that, in certain situations, it is highly important to be able to provide access to common artifacts without requiring a user to sign up.

“Obviously providing wide open read access on the public Internet should be carefully considered, but as you see with many public forges, that ability to serve common artifacts without requiring a user to sign up, is critically important,” Fox says.

Related: Code Execution Flaw Found in Sonatype Nexus Repository Manager

Related: Risk-Based Vulnerability Management is a Must for Security & Compliance

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.