Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-7834

Nexus allows direct access to trash directory through content URL's.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.11
    • Fix Version/s: 2.11.2
    • Component/s: Repository
    • Labels:
    • Story Points:
      1
    • Sprint:
      Sprint 33, Sprint 34

      Description

      Nexus allows direct access to trash directory contents through /content URL's.

      Directory browsing does not work:

      https://oss.sonatype.org/content/repositories/releases/.nexus/trash

      But direct access does (note, this file might not be there anymore at some point, but right now the download works).

      https://oss.sonatype.org/content/repositories/releases/.nexus/trash/br/com/address/archetypes/strtus2-archetype/maven-metadata.xml

      This is a security concern, some of our customers have artifacts which are are only accessible to a small set of developers, and are protected via repository target privileges. Access through /.nexus/trash will likely bypass these restrictions.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              alin Alin Dreghiciu
              Reporter:
              rseddon Rich Seddon
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title