Nexus Repository Manager <= 2.14.14 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Vulnerability

Summary

There is an OS Command Injection in Nexus Repository Manager <= 2.14.14 that could allow an attacker a Remote Code Execution (RCE).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Credit:

The information has been provided by Christian August Holm Hansen

The original article can be found at:https://support.sonatype.com/hc/en-us/articles/360033490774-CVE-2019-5475-Nexus-Repository-Manager-2-OS-Command-Injection-2019-08-09


Details

All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability.

 

Vulnerable Systems:

Nexus Repository Manager <= 2.14.14 

 

CVE Information:

CVE-2019-15588

 

Disclosure Timeline:
Published Date: 11/01/2019