CVE-2019-5475: Nexus Repository Manager 2 – OS Command Injection Vulnerability Alert

Security researcher Christian August Holm Hansen disclosed a remote command execution vulnerability in Nexus Repository Manager 2.X. The vulnerability has a deployment permission account by default. After successful login, you can use “createrepo” or “mergerepo” to customize the configuration and can trigger a remote command execution vulnerability. The CVE ID is CVE-2019-5475.

CVE-2019-5475

Image: sonatype

“Nexus is a repository manager. It allows you to proxy, collect, and manage your dependencies so that you are not constantly juggling a collection of JARs. It makes it easy to distribute your software. Internally, you configure your build to publish artifacts to Nexus and they then become available to other developers. You get the benefits of having your own ‘central’, and there is no easier way to collaborate.”

Nexus Repository Manager 2.x version default deployment permission account admin/admin123, attackers can log in directly using “createrepo” or “mergerepo” configuration to achieve remote command execution.

Affected version

  • Nexus Repository Manager OSS <= 2.14.13
  • Nexus Repository Manager Pro <= 2.14.13

Unaffected version

  • Nexus Repository Manager OSS/Pro version 2.14.14

Solution

Affected users update to the unaffected version as soon as possible.