Central Security Project: Unsafe deserialization in Nexus Repository helm plugin

A remote code execution vulnerability (CVE-2020-15871) has been discovered in Nexus Repository Manager 3.

A user with the right permissions can run arbitrary code as the user running the Nexus Repository Manager server. Alternatively, an attacker could trick a user with the right permissions into running arbitrary code as the user running the Nexus Repository Manager server. We have fixed the issue so that the remote code execution is no longer possible. This advisory provides the pertinent information needed to properly address this vulnerability, along with the details on how to reach us if you have any further questions or concerns.

This vulnerability was identified by an external researcher and has been verified by our security team. We are not aware of any active exploits taking advantage of this issue. However, we strongly encourage all users of Nexus Repository Manager 3 to immediately take the steps outlined in this advisory.

We are highly recommending all instances of Nexus Repository Manager be upgraded to version 3.25.1 or later. The latest version of Nexus Repository Manager 3 can be downloaded from:

https://help.sonatype.com/repomanager3/download

For detailed information on upgrade, please see:

https://support.sonatype.com/hc/en-us/articles/115000350007