April 13, 2020

GHSL-2020-013: Remote Code Execution - Dynamic Code Evaluation via Scripts in Nexus Repository Manager

Alvaro Muñoz

Summary

GHSL-2020-013 - Remote Code execution - Dynamic Code Evaluation via Scripts

Product

Nexus Repository Manager

Tested Version

3.20.1

CVE

No CVE was assigned

Details

It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution.

For example, an attacker can create a script by using the following endpoint:

Endpoint: src/main/java/org/sonatype/nexus/script/plugin/internal/rest/ScriptResource.groovy Persmissions: nx-script-*-add

And later execute the script using the following endpoint:

Endpoint: src/main/java/org/sonatype/nexus/script/plugin/internal/rest/ScriptResource.groovy Permissions: nx-script-*-run

Impact

This issue may lead to Remote Code execution by high-privilege users

Coordinated Disclosure Timeline

  • 02/03/2020: Report sent to Sonatype
  • 02/03/2020: Sonatype acknowledged report
  • 02/14/2020: Sonatype raises questions about some of the issues
  • 02/17/2020: GHSL answers Sonatype questions
  • 02/19/2020: Sonatype agrees with GHSL comments

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-013 in any communication regarding this issue.