April 13, 2020

GHSL-2020-015: Remote Code Execution - Bypass of CVE-2018-16621 mitigations in Nexus Repository Manager

Alvaro Muñoz

Summary

GHSL-2020-015 - Remote Code Execution - Bypass of CVE-2018-16621 mitigations

Product

Nexus Repository Manager

Tested Version

3.20.1

CVE

CVE-2020-10204

Details

The current mitigation for the EL injections reported in CVE-2018-16621 involves striping out the EL delimiters of the user-controlled data by using stripJavaEL method:

public String stripJavaEl(final String value) {
	if (value != null) {
		return value.replaceAll(“\$+\\{“, “{“);
	}
	return null;
}

However, several bugs were found in Hibernate-Validation and Java EL which enable the EL expression engine to process EL expressions not wrapped by the standard delimiters ${}. The regular expression used in stripJavaEL will not match these delimiters and therefore it is possible to re-enable CVE-2018-16621.

These bugs have been reported to the corresponding vendors and will be fixed in future releases.

What follows is a list of all endpoints affected by this vulnerability:

  • CronExpressionValidator (@CronExpression)
    • TaskXO.groovy [cronExpression]
      • TaskComponent
        • TaskComponent.create(final @NotNull @Valid TaskXO taskXO)
        • TaskComponent.update(final @NotNull @Valid TaskXO taskXO)
  • RolesExistValidator (@RolesExist)
    • UserXO.groovy [roles]
      • UserComponent
        • UserComponent.create(@NotNull @Valid final UserXO userXO)
        • UserComponent.update(@NotNull @Valid final UserXO userXO)
    • RoleXO.groovy [roles]
      • RoleComponent.groovy
        • RoleComponent.create(@NotNull @Valid final RoleXO roleXO)
        • RoleComponent.update(@NotNull @Valid final RoleXO roleXO)
    • UserRoleMappingsXO.groovy [roles]
      • UserComponent
        • see above
  • PrivilegesExistValidator (@PrivilegesExist)
    • RoleXO.groovy
      • RoleComponent.groovy
        • RoleComponent.create(@NotNull @Valid final RoleXO roleXO)
        • RoleComponent.update(@NotNull @Valid final RoleXO roleXO)

Impact

This issue may lead to Remote Code execution by high-privilege users

Coordinated Disclosure Timeline

  • 02/03/2020: Report sent to Sonatype
  • 02/03/2020: Sonatype acknowledged report
  • 02/14/2020: Sonatype raises questions about some of the issues
  • 02/17/2020: GHSL answers Sonatype questions
  • 02/19/2020: Sonatype agrees with GHSL comments

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-015 in any communication regarding this issue.