Nexus Repository Anonymous Access

high Web App Scanning Plugin ID 115094

Language:

Synopsis

Nexus Repository Anonymous Access

Description

Nexus Repository Manager is a popular repository management tool used to store and manage software artifacts. If anonymous access is enabled, unauthenticated users can list and browse repositories, potentially exposing private artifacts such as source code, packages, and Docker images.

Solution

Disable anonymous access in the Nexus Repository Manager settings.

See Also

https://help.sonatype.com/en/anonymous-access.html

Plugin Details

Severity: High

ID: 115094

Type: remote

Family: Component Vulnerability

Published: 1/5/2026

Updated: 1/5/2026

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.1

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: High

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Vulnerability Information

CPE: cpe:2.3:a:sonatype:nexus_repository_manager:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

CWE: 276

OWASP: 2010-A4, 2013-A4, 2013-A9, 2017-A5, 2017-A9, 2021-A1, 2021-A6

WASC: Insufficient Authorization

CAPEC: 122, 233, 58

DISA STIG: APSC-DV-000500, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3, sp800_53-CM-6b

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1

PCI-DSS: 3.2-6.2, 3.2-6.5.8