Sonatype Nexus < 2.7.1 'XStream' Object Remote Code Execution Vulnerability

Medium

Synopsis

The remote server contains a vulnerability that can be exploited for remote code execution.

Description

Versions of Sonatype Nexus earlier than 2.7.1 are prone to remote code execution vulnerability due to the application deserialising user-controlled XML data using the XStream library. Specifically, this issue affects 'XStream' object of the application.

Solution

The vendor has provided updates; upgrade to 2.7.1 or later.