Remote Code Execution (RCE) Affecting org.sonatype.nexus.plugins:nexus-yum-repository-plugin package, versions [2.11.0-01, 2.14.14-01)
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Threat Intelligence
Exploit Maturity
Mature
EPSS
0.76% (81st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGSONATYPENEXUSPLUGINS-460759
- published 3 Sep 2019
- disclosed 3 Sep 2019
- credit cbagdude, Christian August Holm Hansen
How to fix?
Upgrade org.sonatype.nexus.plugins:nexus-yum-repository-plugin
to version 2.14.14-01 or higher.
Overview
org.sonatype.nexus.plugins:nexus-yum-repository-plugin is a plugin for Sonatype Nexus 1.9.2.x or 2.X which recognizes RPMs in Nexus Maven repositories and generates Yum metadata, so that RedHat-compatible system can use Nexus as software repository.
Affected versions of this package are vulnerable to Remote Code Execution (RCE) when instances using CommandLineExecutor.java
are supplied vulnerable data, such as the Yum Configuration Capability.