Summary
GHSL-2020-014 - Remote Code execution - Dynamic Code Evaluation via Scheduled Tasks
Product
Nexus Repository Manager
Tested Version
3.20.1
CVE
No CVE was assigned
Details
It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution.
For example, an attacker can create a task using the following request:
Source: src/main/java/org/sonatype/nexus/coreui/TaskComponent.groovy:124
Permissions: nx-tasks-create
A similar attack is also possible by updating existing tasks:
Source: src/main/java/org/sonatype/nexus/coreui/TaskComponent.groovy:151
Permissions: nx-tasks-update
Note: These endpoints are also vulnerable to EL injection (see: GHSL-2020-015)
Impact
This issue may lead to Remote Code execution by high-privilege users
Coordinated Disclosure Timeline
- 02/03/2020: Report sent to Sonatype
- 02/03/2020: Sonatype acknowledged report
- 02/14/2020: Sonatype raises questions about some of the issues
- 02/17/2020: GHSL answers Sonatype questions
- 02/19/2020: Sonatype agrees with GHSL comments
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com
, please include the GHSL-2020-014
in any communication regarding this issue.