Code Execution Flaw Found in Sonatype Nexus Repository Manager
A essential far off code execution vulnerability has been discovered and patched in Sonatype’s Nexus Repository Manager (NXRM), a well-liked open-source software that permits builders to regulate device parts.
The flaw, tracked as CVE-2019-7238, used to be reported to Sonatype by means of researchers from Chinese corporations Chaitin Tech and Tencent. A patch used to be launched by means of the seller on January 11, and Trend Micro on Thursday launched technical main points on how the vulnerability can also be exploited.
The researchers discovered weak point associated with inadequate get right of entry to controls in NXRM, particularly variations three.6.2 OSS/Pro thru three.14.zero, lets in an unauthenticated attacker to remotely execute arbitrary code and methods at the host device by means of sending specifically crafted requests. The safety hollow has been patched with the discharge of model three.15.
The flaw has been labeled as “critical” (CVSS ranking of 10) and Trend Micro warns that because it doesn’t require authentication it’s more straightforward for malicious actors to milk. The chance of exploitation in the wild may be greater by means of the truth that NXRM has over 150,000 lively server installations.
“Repository managers such as NXRM 3 are tools that software developers can use for speed and efficiency. However, as evidenced by vulnerabilities like CVE-2019-7238, such tools can also be susceptible to abuse,” Trend Micro warned. “This highlights the need for continuous monitoring in software development, which involves identifying vulnerabilities and making use of the latest threat intelligence against malware or exploits that take advantage of security flaws.”
In its advisory for CVE-2019-7238, Sonatype mentioned it was conscious in overdue February that 3rd events had been about to post exploit directions, however it’s unclear if the corporate have been relating to Trend Micro. A video appearing the exploit in motion used to be posted to YouTube in mid-February.