Security researcher Christian August Holm Hansen disclosed a remote command in the Nexus Repository Manager 2.X execution vulnerability. The account has permission to deploy vulnerability default. After a successful login, you can use the "createrepo" or "mergerepo" to customize the configuration, and can trigger remote command execution vulnerability. As CVE ID CVE-2019-5475.
Image: sonatype
" Nexus is a repository manager. It allows your agent to collect and manage your dependencies, so you do not often deal with JAR collection. It allows you to easily distribute software. Inside, you will build configured to work publish to Nexus, then they are available to other developers. You can get to have their own "core" benefits, and there is no easier way to collaborate . "
Nexus Repository Manager 2.x version of the default deployment rights account admin / admin123, an attacker can use "createrepo" or "mergerepo" configuration directly log on to remote command execution.
Affected versions
- Nexus Repository Manager OSS <= 2.14.13
- Nexus Repository Manager Pro <= 2.14.13
Unaffected version
- Nexus Repository Manager OSS/Pro version 2.14.14
Solution
Affected users will be updated as soon as version unaffected.