CVE-2021-30635: 
Sonatype Nexus 3 vulnerability analysis and mitigation

Sonatype Nexus Repository Manager 3.x before version 3.30.1 was found to contain a directory traversal vulnerability (CVE-2021-30635). The vulnerability was discovered by Bart Stakun, Jakub Botwicz, and Itunuoluwa Odetokun from Goldman Sachs' Security Research team and was disclosed on April 22, 2021. This security flaw affects all versions of Nexus Repository Manager 3 up to and including version 3.30.0 (Sonatype Advisory).

The vulnerability allows an unauthenticated remote attacker to get a list of files and directories that exist in a UI-related folder through directory traversal. The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD Database).

The impact of this vulnerability is limited to information disclosure of static resources that form part of the Nexus Repository UI. Importantly, the vulnerability does not expose any customer-specific data. An unauthenticated attacker could only obtain a list of files and directories that exist in the web server's public folder (Sonatype Advisory).

The recommended mitigation is to upgrade to Nexus Repository Manager 3 version 3.30.1 or later. Sonatype strongly encourages all organizations utilizing Nexus Repository Manager to immediately assess their individual impact and take appropriate action in response to this vulnerability (Sonatype Advisory).