Security researcher Christian August Holm Hansen disclosed a remote command execution vulnerability in Nexus Repository Manager 2.X. The vulnerability has a deployment permission account by default. After successful login, you can use “createrepo” or “mergerepo” to customize the configuration and can trigger a remote command execution vulnerability. The CVE ID is CVE-2019-5475.
“Nexus is a repository manager. It allows you to proxy, collect, and manage your dependencies so that you are not constantly juggling a collection of JARs. It makes it easy to distribute your software. Internally, you configure your build to publish artifacts to Nexus and they then become available to other developers. You get the benefits of having your own ‘central’, and there is no easier way to collaborate.”
- Nexus Repository Manager OSS <= 2.14.13
- Nexus Repository Manager Pro <= 2.14.13
- Nexus Repository Manager OSS/Pro version 2.14.14
Affected users update to the unaffected version as soon as possible.