CVE-2019-5475
published 2019-11-01CVE-2019-5475: There is an OS Command Injection in Nexus Repository Manager <= 2.14.14 (bypass CVE-2019-5475) that could allow an attacker a Remote Code Execution (RCE). All…
PriorityP267high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
18.40%
96.9th percentile
There is an OS Command Injection in Nexus Repository Manager <= 2.14.14 (bypass CVE-2019-5475) that could allow an attacker a Remote Code Execution (RCE). All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonatype | nexus_repository_manager | <= 2.14.14 | — |
| sonatype | nexus_repository_manager | — | — |
| sonatype | nexus_repository_manager | 2.0 – 2.14.9-01 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP PUT requests to the Nexus REST API endpoint /nexus/service/siesta/capabilities/* for modifications to Yum Configuration capabilities, especially changes to 'createrepoPath' or 'mergerepoPath' fields containing shell metacharacters or unexpected binary paths. ↗
- →Detect IFS-based space substitution (${IFS}) in HTTP request bodies targeting Nexus capability configuration endpoints, used to bypass the getCleanCommand filter introduced in the CVE-2019-5475 patch. ↗
- →Alert on Nexus Repository Manager process spawning unexpected child processes (e.g. bash, curl, calc.exe) as SYSTEM or the Nexus service account, originating from CommandLineExecutor.java execution context. ↗
- →Inspect XML payloads in PUT requests to Nexus capabilities API for the 'createrepoPath' property containing values other than a legitimate createrepo/mergerepo binary path. ↗
- ·The bypass (CVE-2019-15588) affects Nexus Repository Manager <= 2.14.14; the original CVE-2019-5475 patch introduced getCleanCommand() filtering which is incomplete and can be evaded using shell IFS substitution and logical operators. ↗
- ·Exploitation requires an authenticated user with sufficient privileges (e.g. admin) to create or edit Yum Configuration capabilities; the Authorization header in the PoC uses Basic auth with default admin:admin123 credentials. ↗
- ·On Windows, Nexus appends --version to the injected OS command, which may affect payload construction but does not prevent execution of the injected binary. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h8gj-qmf3-67wf: There is an OS Command Injection in Nexus Repository Manager <= 2
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-15588 [HIGH] CWE-77 GHSA-h8gj-qmf3-67wf: There is an OS Command Injection in Nexus Repository Manager <= 2
There is an OS Command Injection in Nexus Repository Manager <= 2.14.14 (bypass CVE-2019-5475) that could allow an attacker a Remote Code Execution (RCE). All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability.
GHSA
OS Command Injection in Nexus Yum Repository Plugin
ghsa·2019-09-11
CVE-2019-5475 [HIGH] CWE-78 OS Command Injection in Nexus Yum Repository Plugin
OS Command Injection in Nexus Yum Repository Plugin
The Nexus Yum Repository Plugin in v2 is vulnerable to Remote Code Execution when instances using CommandLineExecutor.java are supplied vulnerable data, such as the Yum Configuration Capability.
OSV
OS Command Injection in Nexus Yum Repository Plugin
osv·2019-09-11
CVE-2019-5475 [HIGH] OS Command Injection in Nexus Yum Repository Plugin
OS Command Injection in Nexus Yum Repository Plugin
The Nexus Yum Repository Plugin in v2 is vulnerable to Remote Code Execution when instances using CommandLineExecutor.java are supplied vulnerable data, such as the Yum Configuration Capability.
No detection rules found.
No public exploits indexed.
HackerOne
OS Command Injection in Nexus Repository Manager 2.x(bypass CVE-2019-5475)
hackerone·2019-10-29·CVSS 8.8
CVE-2019-5475 [HIGH] OS Command Injection in Nexus Repository Manager 2.x(bypass CVE-2019-5475)
OS Command Injection in Nexus Repository Manager 2.x(bypass CVE-2019-5475)
## OS Command Injection in Nexus Repository Manager 2.x(bypass CVE-2019-5475)
# Maven artifact
**groupId:** org.sonatype.nexus.plugins
**artifactId:** nexus-yum-repository-plugin
**version:** 2.14.14-01
# Vulnerability
## Vulnerability Description
The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution. All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability.
## Additional Details
Take a look at the patch for CVE-2019-5475
https://github.com/sonatype/nexus-public/commit/7b9939e71693422d3e09adc3744fa2e9b3a62a63#diff-4ab0523de106ac7a38808f0231fc8a23R84
The `getCleanCommand` method is not completely filtered and can still be
HackerOne
OS Command Injection in Nexus Repository Manager 2.x
hackerone·2019-08-20·CVSS 9.1
[CRITICAL] OS Command Injection in Nexus Repository Manager 2.x
OS Command Injection in Nexus Repository Manager 2.x
# Maven artifact
**groupId:** org.sonatype.nexus.plugins
**artifactId:** nexus-yum-repository-plugin
**version:** 2.14.9-01
# Vulnerability
## Vulnerability Description
The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution. All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability.
## Additional Details
**Source File and Line Number:** https://github.com/sonatype/nexus-public/blob/release-2.14.9-01/plugins/yum/nexus-yum-repository-plugin/src/main/java/org/sonatype/nexus/yum/internal/capabilities/YumCapability.java#L121
## Steps To Reproduce:
1. Navigate to "Capabilities" in Nexus Repository Manager.
2. Edit or create a new Yum: Configuration capabilit
https://hackerone.com/reports/688270https://support.sonatype.com/hc/en-us/articles/360033490774-CVE-2019-5475-Nexus-Repository-Manager-2-OS-Command-Injection-2019-08-09https://hackerone.com/reports/688270https://support.sonatype.com/hc/en-us/articles/360033490774-CVE-2019-5475-Nexus-Repository-Manager-2-OS-Command-Injection-2019-08-09
2019-11-01
Published