Sonatype Nexus Repository Manager Java Object Deserialization RCE
Critical Nessus Plugin ID 92467
SynopsisThe Nexus Repository Manager server running on the remote host is affected by a remote code execution vulnerability.
DescriptionThe Sonatype Nexus Repository Manager server application running on the remote host is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending specially crafted Java objects to the HTTP interface, to execute arbitrary code on the target host.
SolutionUpgrade to Sonatype Nexus Repository Manager version 2.11.2-01 or later.