CVE-2019-7238
Published: 21 March 2019
Summary
CVE-2019-7238 is a critical-severity an unspecified weakness vulnerability in Sonatype Nexus Repository Manager. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).
Deeper analysis
Sonatype Nexus Repository Manager versions prior to 3.15.0 contain an incorrect access control vulnerability that permits unauthorized interaction with repository functions. The flaw affects the core access control mechanisms of the widely deployed artifact repository server and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.
An unauthenticated remote attacker can exploit the missing controls to achieve remote code execution, resulting in complete compromise of confidentiality, integrity, and availability on the affected server. Because the vulnerability can be reached directly over the network, any exposed Nexus instance is potentially reachable by an attacker on the internet or within an internal network segment.
The official Sonatype advisory published on 5 February 2019 explicitly links the access-control deficiency to remote code execution and recommends upgrading to version 3.15.0 or later. The same issue appears in the CISA Known Exploited Vulnerabilities catalog, confirming that in-the-wild exploitation has been observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-16782
Vulnerability details
Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control.
- CWE(s)
- KEV Date Added
- 10 December 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations on Nexus repository functions, blocking the unauthenticated access path that enables RCE.
Limits privileges so that even if a request reaches repository APIs it cannot obtain the full system rights needed for RCE.
Requires explicit authorization and security controls for all remote connections to the Nexus instance, eliminating the open network vector described in the CVE.