Tue. Feb 25th, 2020

CVE-2019-5475: Nexus Repository Manager 2 – OS Command Injection Vulnerability Alert

1 min read

Security researcher Christian August Holm Hansen disclosed a remote command execution vulnerability in Nexus Repository Manager 2.X. The vulnerability has a deployment permission account by default. After successful login, you can use “createrepo” or “mergerepo” to customize the configuration and can trigger a remote command execution vulnerability. The CVE ID is CVE-2019-5475.

Image: sonatype

“Nexus is a repository manager. It allows you to proxy, collect, and manage your dependencies so that you are not constantly juggling a collection of JARs. It makes it easy to distribute your software. Internally, you configure your build to publish artifacts to Nexus and they then become available to other developers. You get the benefits of having your own ‘central’, and there is no easier way to collaborate.”

Nexus Repository Manager 2.x version default deployment permission account admin/admin123, attackers can log in directly using “createrepo” or “mergerepo” configuration to achieve remote command execution.

Affected version

  • Nexus Repository Manager OSS <= 2.14.13
  • Nexus Repository Manager Pro <= 2.14.13

Unaffected version

  • Nexus Repository Manager OSS/Pro version 2.14.14


Affected users update to the unaffected version as soon as possible.