CVE-2020-11444: 
NixOS vulnerability analysis and mitigation

Sonatype Nexus Repository Manager 3.x up to and including version 3.21.2 was discovered to have incorrect access control vulnerabilities. The vulnerability was identified on April 2nd, 2020, and was assigned CVE-2020-11444. This security issue affects all previous versions of Nexus Repository 3 OSS/Pro up to and including version 3.21.2 (Sonatype Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 7.1 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L. The issue stems from improper access control implementation where authenticated users can craft specific requests that affect configuration settings for other users in the system (Sonatype Advisory).

When exploited, this vulnerability allows an authenticated attacker to modify configuration settings for other users within the system. The impact primarily affects the integrity of user configurations and could potentially lead to system availability issues (Sonatype Advisory).

The vulnerability was fixed in Nexus Repository OSS/Pro version 3.22.0. Sonatype strongly recommends all users to upgrade their installations to version 3.22.0 or later to address this security issue. The fix implements necessary access controls to prevent unauthorized configuration modifications (Sonatype Advisory).

The vulnerability was responsibly reported by security researcher David Lindner (@golfhackerdave), who worked with Sonatype to address the issues. Given that Nexus Repository Manager is an open source project with over 150,000 active server installations, Sonatype took a proactive approach in their outreach activities to achieve rapid remediation (Sonatype Advisory).