OS Command Injection Vulnerability in Nexus Repository Manager by Sonatype
CVE-2019-15588

7.2HIGH

Key Information:

Vendor: Sonatype
Status: Nexus Repository Manager
Vendor: CVE Published:; 1 November 2019

Badges

👾 Exploit Exists

What is CVE-2019-15588?

An OS Command Injection vulnerability exists in Nexus Repository Manager versions 2.14.14 and earlier, allowing attackers to exploit instances that utilize CommandLineExecutor.java with user-supplied input. This vulnerability poses significant risks as it can facilitate Remote Code Execution (RCE), particularly through components like the Yum Configuration Capability, which were designed to accept external commands.

Affected Version(s)

Nexus Repository Manager <= 2.14.14

References

https://hackerone.com/reports/688270

x_refsource_MISC

https://support.sonatype.com/hc/en-us/articles/3600334907...

x_refsource_CONFIRM

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Dec 19, 2020
👾
Exploit known to exist
Dec 19, 2020
Vulnerability published
Nov 1, 2019
Vulnerability Reserved
Aug 26, 2019