CVE-2019-7238
CVE-2019-7238
Vexday Risk Score
100Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
Exploit maturity
Functional exploit
Popular PoC on GitHub (153 stars) — exploitation code widely available.
CVSS 9.8EPSS 76.5%KEV simPoC públicaNuclei simMetasploit —Patch —
Lifecycle
24 Feb 2019Public PoC
21 Mar 2019Published on NVD
10 Dec 2021Active exploitation (CISA KEV)
Weaponization speed
994 daysto active exploitation (KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
Sonatype Nexus Repository Manager versions before 3.15.0 have a flaw that allows unauthorized users to access or modify repository contents that should be restricted. This is critical because repositories often contain sensitive software components.
Technical detail
The vulnerability stems from improper access control enforcement in Nexus Repository Manager prior to version 3.15.0, allowing unauthenticated or low-privileged attackers to bypass permission checks and access protected repositories. The attack requires network access to the Nexus instance with no special preconditions, resulting in unauthorized read/write access to repository data.
Summary generated and translated by AI from the official description.
Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 11
githubgithub.com/mpgn/CVE-2019-7238★ 153githubgithub.com/jas502n/CVE-2019-7238★ 85githubgithub.com/verctor/nexus_rce_CVE-2019-7238★ 39githubgithub.com/magicming200/CVE-2019-7238_Nexus_RCE_Tool★ 24githubgithub.com/DannyRavi/nmap-scripts★ 2githubgithub.com/smallpiggy/CVE-2019-7238★ 1vulncheckvulncheck.com/xdb/b3a349f42d18unverifiedvulncheckvulncheck.com/xdb/3edc0bb5ba96unverifiedvulncheckvulncheck.com/xdb/4da5a08d9ad8unverifiedvulncheckvulncheck.com/xdb/ea23cc246706unverifiedvulncheckvulncheck.com/xdb/3190c1277623unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.