You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Sam Gleske (JIRA)" <ji...@apache.org> on 2019/06/17 20:19:00 UTC
[jira] [Created] (MNG-6683) Maven Central returns 200 status for
Nexus vulnerability page
Sam Gleske created MNG-6683:
-------------------------------
Summary: Maven Central returns 200 status for Nexus vulnerability page
Key: MNG-6683
URL: https://issues.apache.org/jira/browse/MNG-6683
Project: Maven
Issue Type: Bug
Reporter: Sam Gleske
My on-site Nexus instance is caching artifacts with a SHA1 checksum 304aee16ce585ea362af56fe4044e9aa3ad0a84d.
Contents of the page is
{noformat}
Forbidden
Access to the Central Repository has been temporarily blocked
You've been identified as running a version of Nexus Repository Manager that is vulnerable to botnet exploitation [1]
It is strongly advised that you upgrade Nexus Repository Manager to the latest version, currently 3.16.2. Please visit the Sonatype NXRM download page [2]
For further information on the vulnerability, affected versions, and remediation paths, please our official announcement at [3]{noformat}
Links
# [https://community.sonatype.com/t/botnet-exploitation-of-nxrm-up-to-3-14-0/1993]
# [https://help.sonatype.com/repomanager3/download]
# [https://community.sonatype.com/t/botnet-exploitation-of-nxrm-up-to-3-14-0/1993]
h2. Issue
Because Maven Central returns a 200 status for the vulnerability "Forbidden" page our Nexus instance is caching a lot of junk artifacts. We've since upgraded to a non-vulnerable Nexus but it seems Central is still returning the "Forbidden" error page.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)