In March, a researcher from Twistlock contacted us about two issues he identified, stemming from user access settings. As with any disclosure, we immediately looked into it.
The disclosure was questioning the long standing ability to allow a repository to provide anonymous access for reading artifacts. Since this wasn’t a new capability and because it affects common and legitimate use cases, we did not view this as a zero day vulnerability requiring merely a technical fix. Instead, we decided to approach this as a product feature UX change to make it easier for users to be more secure.
The majority of repository managers are deployed inside a firewall and intentionally configured to allow anonymous access for sharing artifacts. This is a useful capability to provide organizations who choose to do so.
Obviously providing wide open read access on the public Internet should be carefully considered, but as you see with many public forges, that ability to serve common artifacts without requiring a user to sign up, is critically important.
While we disagreed with the assessment that anonymous access should be completely removed from the product, we agreed that more could be done to require a definitive choice to enable Anonymous access during initial setup. We addressed this as quickly as possible with a rolling fix - one in our 3.16.2 product release and one in our most recent update which is 3.17.
As we always do, we do want to emphasize the importance of upgrading to the latest version of Nexus Repository. In this case, we additionally ask that organizations re-review if their use of anonymous read access is appropriate for their use case.