You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Sam Gleske (JIRA)" <ji...@apache.org> on 2019/06/17 20:19:00 UTC

[jira] [Created] (MNG-6683) Maven Central returns 200 status for Nexus vulnerability page

Sam Gleske created MNG-6683:
-------------------------------

             Summary: Maven Central returns 200 status for Nexus vulnerability page
                 Key: MNG-6683
                 URL: https://issues.apache.org/jira/browse/MNG-6683
             Project: Maven
          Issue Type: Bug
            Reporter: Sam Gleske


My on-site Nexus instance is caching artifacts with a SHA1 checksum 304aee16ce585ea362af56fe4044e9aa3ad0a84d.

Contents of the page is

 
{noformat}
Forbidden

Access to the Central Repository has been temporarily blocked

You've been identified as running a version of Nexus Repository Manager that is vulnerable to botnet exploitation [1]

It is strongly advised that you upgrade Nexus Repository Manager to the latest version, currently 3.16.2. Please visit the Sonatype NXRM download page [2]

For further information on the vulnerability, affected versions, and remediation paths, please our official announcement at [3]{noformat}
Links
 # [https://community.sonatype.com/t/botnet-exploitation-of-nxrm-up-to-3-14-0/1993]
 # [https://help.sonatype.com/repomanager3/download]
 # [https://community.sonatype.com/t/botnet-exploitation-of-nxrm-up-to-3-14-0/1993]

h2. Issue

Because Maven Central returns a 200 status for the vulnerability "Forbidden" page our Nexus instance is caching a lot of junk artifacts.  We've since upgraded to a non-vulnerable Nexus but it seems Central is still returning the "Forbidden" error page.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)