Cyber Resilience

CVE-2019-7238

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 21 March 2019

Published
21 March 2019
Modified
06 November 2025
KEV Added
10 December 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9438 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-7238 is a critical-severity an unspecified weakness vulnerability in Sonatype Nexus Repository Manager. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).

Deeper analysis

Sonatype Nexus Repository Manager versions prior to 3.15.0 contain an incorrect access control vulnerability that permits unauthorized interaction with repository functions. The flaw affects the core access control mechanisms of the widely deployed artifact repository server and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.

An unauthenticated remote attacker can exploit the missing controls to achieve remote code execution, resulting in complete compromise of confidentiality, integrity, and availability on the affected server. Because the vulnerability can be reached directly over the network, any exposed Nexus instance is potentially reachable by an attacker on the internet or within an internal network segment.

The official Sonatype advisory published on 5 February 2019 explicitly links the access-control deficiency to remote code execution and recommends upgrading to version 3.15.0 or later. The same issue appears in the CISA Known Exploited Vulnerabilities catalog, confirming that in-the-wild exploitation has been observed.

EU & UK References

Vulnerability details

Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control.

CWE(s)
KEV Date Added
10 December 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sonatype
nexus repository manager
3.0.0 — 3.15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations on Nexus repository functions, blocking the unauthenticated access path that enables RCE.

prevent

Limits privileges so that even if a request reaches repository APIs it cannot obtain the full system rights needed for RCE.

AC-17 Remote Access partial match
prevent

Requires explicit authorization and security controls for all remote connections to the Nexus instance, eliminating the open network vector described in the CVE.

References