Thousands Left Vulnerable in Nexus Repository

A recent breach in Nexus Repository left many companies and government agencies vulnerable, as thousands of private artifacts were left unprotected, according to a July 2 blog post from researchers Daniel Shapira and Ariel Zelivansky, with Twistlock Labs. While this breach was swiftly rectified, Shapira and Zelivansky noted that this type of hack could have had catastrophic consequences and cannot be taken lightly. A team of dedicated white hats identified these weaknesses within Nexus Repository. In a July 2 blog post, researchers wrote, “During my recent work I have discovered two security vulnerabilities in Nexus Repository that affect all users under default settings. “This post is a dive into these vulnerabilities, which exposed thousands of private artifacts across a broad range of industries, including financial services, healthcare, communications, government agencies and countless private companies. But first, let's dig into what a Nexus Repository Manager actually is. According to Sonatype’s website, millions of developers trust the Sonatype Nexus Repository Manager, which has more than 120,000 active repositories and claimed it is “the perfect system of record for all your software parts.